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Preface 



The 1998 Annual Conference of the European Association for Computer Science 
Logic, CSL’98, was held in Brno, Czech Republic, during August 24-28, 1998. 
CSL’98 was the 12th in a series of workshops and the 7th to be held as the 
Annual Conference of the EACSL. 

The conference was organized at Masaryk University in Brno by the Faculty of 
Informatics in cooperation with universities in Aaachen, Caen, Haagen, Linz, 
Metz, Pisa, Szeged, Vienna, and other institutions. CSL’98 formed one part of 
a federated conferences event, the other part being MFCS’98, the 23rd Inter- 
national Symposium on the Mathematical Foundations of Computer Science. 
This federated conferences event consisted of common plenary sessions, invited 
talks, several parallel technical programme tracks, a dozen satellite workshops 
organized in parallel, and tutorials. 

The Federated CSL/MFCS’98 Conferences event included 19 invited talks, four 
of them joint CSL/MFCS’98 talks (D. Harel, W. Maass, Y. Matiyasevic, and 
M. Yannakakis), four for CSL (P. Hajek, J. Mitchell, Th. Schwentick, and J. 
Tiuryn), and eleven for MFCS. Last but not least, two tutorials were organized 
by CSL on the day preceding the symposium on “Inference Rules in Fragments 
of Arithmetic” by Lev Beklemishev and on “Proofs, Types, and Safe Mobile 
Code” by Greg Morrisett. 

A total of 345 persons attended the Federated CSL/MFCS’98 Conference which 
was a great success. 

The program committee of CSL’98 selected 27 of 74 papers submitted for the 
conference. From the 27 papers selected for presentation, 25 have been accepted, 
following the standard refereeeing procedure, for publication in the present pro- 
ceedings. Three invited speakers submitted papers, that were likewise refereeed 
and accepted. 

Katrin Seyr as co-editor has performed the principal editing work needed in con- 
nection with collecting the successive versions of the papers and tidying things up 
for the final appearance of the CSL’98 proceedings as a Springer LNCS volume 
using LNCS LATEX style. 

We are most grateful to the numerous referees for their work. Finally, we ex- 
press special thanks to the MFCS/CSL’98 organizing committee chaired by Jan 
Staudek and to Jozef Gruska and Jiri Zlatuska (co-chairs of the MFCS’98 pro- 
gram committee) for the perfect organization of the federated conference. 
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Trakhtenbrot Theorem and Fuzzy Logic 



Petr Hajek 

Institute of Computer Science, Academy of Sciences 
182 07 Prague, Czech Republic 
hajekOuivt .cz 

Dedicated to Professor Boris Abramovich Trakhtenbrot. 



Abstract. Trakhtenbrot theorem is shown to be valid for the three main 
fuzzy logics - Lukasiewicz, Godel and product logic. 



1 Introduction 

It follows from Godel’s completeness theorem that the set of all tautologies of 
the classical (Boolean) predicate logic (denote this set by T AUT^°°^^) is recur- 
sively enumerable, i. e. S\ and it is known that it is Aii-complete. Tautologies 
are formulas true in all models and it is crucial that both finite and infinite 
models are considered. Finite model theory (flourishing due to its obvious rele- 
vance for databases) uses the language of classical logic but admits only finite 
models. See [3]. Let fx AUT^°°^^ be the set of all formulas true in all finite 
models. Clearly, x AUT^°°^^ C fXAUT^°°^^. Trakhtenbrot proved as early as 
in 1950 [7] that the set fx AUT^°°^^ is not recursively enumerable (hence not 
recursively axiomatizable); moreover, the set is iJi-complete. Due to the prop- 
erties of classical negation it follows that the set fSAT^°°^^ of all formulas <j) 
true at least in one finite model is Aii-complete. The fact that there is no re- 
cursive axiomatic system complete for tautologies of finite model theory means 
that deductive methods have only limited importance for database theory. 

Fuzzy logic generalizes Boolean logic by introducing more than two truth 
values; typically the real unit interval [0, 1] serves as the ordered set of truth 
values (truth degrees). Let us stress that fuzzy logic can be developed rather 
far in the style of mathematical logic (see [2,1]). On the other hand, there is a 
research in fuzzy databases [6]. Thus whether and in which form Trakhtenbrot 
theorem generalizes to fuzzy logic appears to be very natural. To answer this 
question is the main purpose of this paper. We shall investigate three important 
fuzzy predicate calculi having [0, 1] for their truth set - Lukasiewicz predicate 
logic LV, Godel predicate logic GV and product predicate logic U'i. Let C vary 
over L, G, U, let fTAUT^'^ be the set of all formulas true in the sense of CV in 
all finite models and fSAT^^ be the set of all formulas true in the sense of CV 
in at least one finite model. Our main result is as follows: 

Theorem. For C being L, G, iT, the set fTAUT^^ is iTi-complete and the 
set fSAT^M is Aii-complete. 

This - and much more - will be proved in Sect. 3. Section 2 contains prelim- 
inaries on arithmetical hierarchy and fuzzy logic. 



G. Gottlob, E. Grandjean, K. Seyr (Eds.): CSL’98, LNCS 1584, pp. 1-8, 1999. 
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2 Preliminaries 

The reader is assumed to be familiar with basic properties of recursive sets (of 
natural numbers, words etc.), recursive relations and recursive functions. A set 
A is Si (or recursively enumerable) if there is a binary recursive relation R such 
that 

A = {n\{3m)R{m,n)}. 

A is III if there is a binary recursive relation R such that 

A = {u|(Vm)i?(m, n)}. 

Similarly, A is S 2 if for some ternary recursive relation R, 



etc. A is Si- complete if it is Si and each Si - set B is recursively reducible to 
A, i. e. for some recursive function /, 



Similarly for ili-complete etc. A set is Ai if it is both Si and ili. Recall that Ai 
sets are exactly all recursive sets. See [5] for more information. We also assume 
that the reader knows basic notion of the theory of computational complexity, 
i. e. what it means that a set is in P (recognized by a deterministic Turing 
machine running in polynomial time) or in NP (• • • nondeterministic Turing 
machine • • •). Here we deal with polynomial reducibility and NP-completeness 
as well as co- NP-completeness. See [4] . 

Now we recall some basic facts on fuzzy logics. A logic with the truth set 
[0, 1] is given by the choice of truth functions determining the truth value of a 
compound formula from the truth values of its components. In [1] the reader 
may find some theory of continuous f-norms as possible truth functions for the 
conjunction^ their residua as truth functions of implication and the corresponding 
truth functions of negation. We shall not need this; we shall only need three 
particular choices. (They are extremely outstanding choices.) Here they are: 

Lukasiewicz (L): 



A = {n|(3m)(V6)i?(m, k, n)} 



B = {n\f(n) G A}. 



X *y = max(0, x + y — 1)-, 

X ^ y = 1 for X < y, 
x^y = l— x + y for x > y; 
{—)x = 1 — X 



( 1 ) 

( 2 ) 

( 3 ) 

( 4 ) 
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Gddel (G): 



X *y = min(a;, y) 



( 5 ) 

( 6 ) 

( 7 ) 

( 8 ) 
(9) 



X ^ y = 1 for X <y, 
X ^ y = y for x > y; 

(-)o = i, 



{—)x = 0 for a; > 0. 



Product (n): 



X * y = X ■ y (usual multiplication) 
X ^ y = 1 for X <y, 

X ^ y = y/x for x > y, 



( 10 ) 

( 11 ) 

( 12 ) 

( 13 ) 



{—x) as in Godel . 



The corresponding propositional logic has formulas built from propositional 
variable, the constant 0 and connectives &, — >■. Negation, the min-conjunction 
and the max-disjunction are defined as follows: 



Each evaluation e of propositional variables by elements of [0, 1] extends 
uniquely to the evaluation ec{y) of each formula y using the truth function of 
C (e being L, G, U). We are lead to the following 

Definition. Let C stand for L, G, or II. 

SAT^ = {ip\ for some [0, l]-evaluation e, ec{y) = 1}, 

SATpgg = {ip\ for some [0, l]-evaluation e, ec{y) > 0}, 

TAUTi = {ip\ for each [0, l]-evaluation e, ec{y) = 1}, 

TAUTpgg = {ip\ for each [0, l]-evaluation e, ec{y) > 0}. 

Glearly, SATi stands for 1-satisfiable, SATpos for positively satisfiable and 
similarly TAUT for tautologies. The following summarizes the results on com- 
plexity: 



Theorem. ([1] 6.2.17) 

(1) SAT^ = SAT^^, = SATf = SAT^^, = SAT^°°‘ is NP-complete. 

(2) TAUT^^^ = TAUT^^, = TAUT^°°\ is co-NP-complete. 

(3) TAUT^, TAUT^, T AUT^°°^ are pairwise distinct and all co-NP complete. 

(4) D SAt}^ D SAT^°°\ all NP-complete. 

(5) TAUT}^ c c TAUT^°°\ all co-NP-complete. 



- 11 ^ is ^ 0, 
ip t\ 1 p \s i^&(i^ Ip), 

V V' is {{p Ip) ^ Ip) f\ {{ip p) ^ p). 
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The predicate calculus CV has a language consisting of predicates (each having 
a positive natural arity). (Here we disregard object constants.) 

Atomic formulas have the form P(x\, . . . ,Xn) where P is an u-ary predi- 
cate and x\, . . . ,Xn are object variables. If are formulas then Lp^ij),Lp — >■ 
tjj, {Vx)(p, {3x)ip are formulas; 0 is a formula. 

A model has the form M = (M, {r p) p predicate) where M ^ $ is & set and 
rp : [0, 1] is a fuzzy relation M of arity equal to the arity of P. An 

evaluation of variables is a mapping v : Var ^ M (Var being the set of object 
variables. The truth value of a formula ip (over C) given by M, v is defined 
inductively in Tarski’s style, i.e. 

||P(a;i, . . . , = rp{v{xi), v{xn)), 

= IIv^IIm,^ * IIV’IIm,^, analogous for 

ll(Va;)v3|lM.^ = inf{||v3|lM.^I«^ =x w}, 

Analogously for 3, sup (Note that v =x w mean that v coincides with w for 
all arguments except possibly x.) TAUT^^ is the set of all formulas p such that 
Il'i’llMu = 1 all M, u; SAT^^ is the set of all p such that ||i^||m„ = 1 
some M, u. Similarly for TAUT^ff^ and SAT^ff^. 

Fact. TAUT^^ is complete; TAUPf-''^ is II2 complete; TAUT^^ is 172- 
hard (i. e. each 7 I 2 set is reducible to TAUTf^^\ whether the latter set is itself 
172 is unknown.) See [1]. For results on positive tautologicity /satisfiability see 
Appendix here. 



3 The results 

Recall the definition of fT AUT^'^ and of fSAT^'^ . Similarly we define fT AUTp^^ 
to be the set of all formulas having a positive value in the sense of CV in all finite 
models and fSAT^ff^ the set of all formulas having a positive value in the sense 
of CV in at least one finite model. 

Surprizingly, the results are rather analogous to those on computational com- 
plexity summarized above. 

Theorem. 

(1) fSAT^ = fSAT^^, = fSATf = fSAT^^ = fSAT^°°^ is i:i-complete. 

(2) fTAUT^^, = fTAUT^^^ = fTAUT^°°\ TTi-complete. 

(3) fTAUT^, fTAUT^, fTAUT^°°^ are pairwise distinct and all Tli-complete. 

(4) fSATli, D fSAP}^ D fSAT ^°°^ , all 7:i-complete. 

(5) fTAUr}^ C fTAUT^j,, c fTAUT^°°\ all TTi-complete. 

The rest of the section contains a proof. 
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Lemma Let i(0) = 0,i(a;) = 1 for a; > 0 (double Godel negation). For 
M = (M, (rp)p) let M* = (M, (rp)p) where rp{a, = i{rp{a, . . . , 6)) (i.e. 

M* is crisp). If M is finite and C =G or II then for each (p, v 

Thus 

\Mm[v] > 0 implies ||v?||m*M = (14) 

\MmM =0 implies ||v?||m*M =0- (15) 



Proof easy by induction. 



Corollary. For C being G or II, 

(i) fSAT^'^ = fSAT^^^ = fSAT^°°^^, 

(ii) fTAUT^^, = fTAUT^°°^'^. 



Proof fSAT^°°^'^ C fSAT^^ C fSAT^^^ is obvious; fSAT^'f^, C fSAT^°°^^ 
follows by (1) of the preceding lemma. fTAUT^g,. C fx AUT^°°^^ is obvious; 
the converse inclusion follows by (2) of the lemma. 

This proves (1) and (2) of our Theorem. 

Now we shall elaborate a technique of coding formulas of predicate logic by 
some formulas of propositional logic and finite models by some evaluation of 
propositional variables. 

Definition. Let M = (M, (rpJjL]^) be a finite model, let M have n elements. 
For each predicate Pi of arity s we introduce n® propositional variables 
where ji, ■ ■ -js G {1, (assume M = {1, . . . , n}). Define an evaluation cm 
of these propositional variables by setting = rp.{ji, . . .js) (i. e. the 

truth value of Piji...j„ is the degree in which (ji, . . .js) is in the relation rp.). 

Investigate formulas of predicate logic with free variable substituted by ele- 
ments of M. For each such object (p we define its translation as follows: 
(Pi(ji, .,js))* = Piji,...jP, analogously 

(0)* = 0; ((Va;)v?(a;))* = A"=i P*{j), ((3a;)v?(a;))* = V”=i P*{j)- 

Note that if p is as assumed (free variables replaced by elements of M) then 
||:^||m bas the obvious meaning ||v?||m,i; where v just assigns to each free variable 
the corresponding element of M (and otherwise arbitrary). 

Lemma. For each finite M of cardinality n and p as above, 

IIv’IIm = eM(v?*’"')- 

Proof, obvious by induction on p observing that on a finite domain V reduces 
to a finite A-conjunction and analogously 3,r;. Note that p*’’^ is a recursive 
function of p and n, the language P\, . . . , Pk being given. 

Some instances of the following lemma are redundant (since they follow from 
the preceding), but we prefer a uniform formulation and proof. 
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Lemma. For C being L, G, II, and ^ being 1 or pos, the set fSAT^ is 
and the set fTAUT^ is ili. 

Proof. Let (f vary over closed formulas. Recall that the sets SAT^,TAUT^ of 
propositional formulas are of low computational complexity (co-NP, NP) and 
hence recursive. Now 



p e fSAT^^ iff (3 u)(v3*’" G SAT^), 

p G fTAUT^ iff (Vn)(^*’" G TAUT^). 

This proves the lemma. 

Lemma For C = G or il, fTAUT^'^ is ili-complete. 

Proof. The set in question is in iJi by the previous lemma. To reduce 
fX AUT^°°^^ to fTAUTi^ we use the double negation interpretation: 

Let result from p by attaching double negation to each atomic formula. 
Then (cf. [1] 6.2.8, 6.3.1) 

p G fTAUT^°°'^ iff G fTAUT^^. 

Lemma The sets fSAT^^ and fSAT^ are Fii-complete. 

Proof. Let Crisp{Pi) be the formula (Vx)(P(x) V -iP(x)). It is easy to show 
that p G fSAT^°°^'^ iff f\^ Crisp(Pi) A is in fSAT^^^. (This argument also 
works for G,II as an alternative to the above proof.) Thus again we have a 
recursive reduction. 

For SAT^ we proceed as follows: (using a method of Ragaz, cf. [1] 6.3.6 
- 6.3.9).: for each closed if, if € fSAT^°°’‘^ iff /\Grisp^{Pi) A if'^ is positively 
finitely satisfiable, i. e. iff there is a finite model M such that ||C'r*sp^(Z?i) A 
V'^IIm > 0. (Cf. [1] 6.2.13 and 6.3.10.) Here one has to assume that if is classical 
in the sense that the only connectives used are A, V, 

This reduces fSAT^°°^'^ to SAxlffi. 

Corollary The sets fTAUT^'^ and fTAUT^ are iTi-complete. 

Proof. This is because, thanks to the properties of Lukasiewicz negation, for 
each sentence p, p G SAT^^'^ iff ^ TAUT^, and similarly for 1 and pos 
interchanged. Thus the complement of TAUT^fff is L'l-complete and so is the 
complement of TAUT^'^. This completes the proof of our theorem. 



4 Appendix 

It is of some interest to observe that CV has the rational model property: 
Claim. For C being L, G, II, the following holds: 

(1) If there is a finite M with ||i^||m = 1 then there is a rational- valued model 
M' (of the same cardinality) with = 1. 
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(2) the same with < 1 instead of = 1. 

(Note that this gives an alternative proof of fSAT^ G fT AUT^ G ill. Cf. 

[1] 6.3.6) 

Proof. Due to our representation (Sect. 2), it is enough to show for each propo- 
sitional formula ip that ec{ip) = 1 then for some rational- valued e' , e.'c{p) = 1 
and the same for < 1. First, this is easy for G since if 0 < < . . . < < 1 

contain all the values e{pi) involved and 0 < ri < . . . < < 1 are rationale 

then one easily gets an isomorphism of [0, 1] with respect to Godel connectives 
moving Zi to ri. For L and < 1 the claim follows immediately from the continuity 
of truth functions; for L and = 1 we use [1] 3.3.17. Finally, investigate il and 
recall the transformation ip^ [1] 6.2.2 such that, for each I, does not contain 
0 or is 0; and for each e such that e{pi) = 0 iff i G I,en{p) = en{p^)- For 
“< 1” observe that for positive values Xi = e{pi) {i ^ I), the value en{pi) is 
continuous (and positive) in xt {i ^ I). (If pi is 0 then there is nothing to prove.) 

Finally for “= 1” observe that if e is such that en{p) = 1 then for some 
boolean e', e'jj{p) = 1 (e'(pi) = 0 if e{pi) = 0, e'(j>i) = 1 otherwise). This 
completes the proof. 

Finally we present some easy facts on arithmetical complexity not contained 
in [1]. 

Fact. (1) TAUT^'^ is Ai-complete. 

(2) TAUTpg'^ is Ai-complete. 

Proof. (1) TAUT^'^ is Ai-complete by [1] 6.1.13 (1). To prove (2) observe 
p G TAUT^q'^ iff - 1 - 11 ^ G TAUTf'^; hence the former set is in Si. Moreover, 
we shall show that for each classical p, p G XAUT^°°^'^ iff {Crisp p) G 
TAUT^,,, where Crisp is the formula defined above and expressing crispness of 

T w 

all predicates occuring in p-, thus TAUTp^), is Ai-complete. 

Indeed iff {Crisp p) G TAUTp^ then obviously p G T AUT^°°’’'^ . Con- 
versely, if ||Cr*sp i^IIm = 0 for some M then ||i^||m = 0 and ||Crisp||M = t 
for some t > 0. Then we can construct the crisp model M* as above (but now 
possibly infinite) and show that for each sentence p, = *(||'7’||m). Hence 

M* is a crisp model and p is false in M*; hence p ^ T AUT^°°^^ . 

Remark. Concerning TAUT^^, the only obvious thing is that it is reducible 
to TAUT{^'^ (by mapping p to -^^p) and that tAUT^°°^'^ reduces to TAUT^^. 

Fact. 

(1) SAT^'^ is Ifi-complete. 

(2) SAT^'^ is A' 2 -complete. 

(3) SATf'^ is Hi-complete. 

(4) SATpg'^ is Hi-complete. 
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Proof. (1) ip G iff ^ TAUT^'^, and p G TAUT^'', iff {^p) ^ 

SAT^Vs- 

(2) Similarly, with “1” and “pos” exchanged. 

(3) p G SATf'^ iff {p} is consistent over GV; thus SAXf'^ is Ui. Moreover, 
p G SAT^””^'^ iff (Crisp & i^) G SATf'^, thus we have iJi-completeness. 

Remarks. (1) Little is known about SAT^^, SAT^^'^. 

(2) It would be interesting to investigate possible generalizations of our results 
to other many-valued logics. 
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Abstract. This paper surveys two related lines of research: 

— Logical characterizations of (non-deterministic) linear time complex- 
ity classes, and 

— non-expressibility results concerning sublogics of existential second- 
order logic. 

Starting from Fagin’s fundamental work there has been steady progress 
in both fields with the effect that the weakest logics that are used in 
characterizations of linear time complexity classes are closely related to 
the strongest logics for which inexpressibility proofs for concrete prob- 
lems have been obtained. The paper sketches these developments and 
highlights their connections as well as the obstacles that prevent us from 
closing the remaining gap between both kinds of logics. 



1 Introduction 

The theory of computational complexity is quite successful in classifying compu- 
tational problems with respect to their intrinsic consumption of resources. Un- 
fortunately it is until now much less successful in proving that the complexity 
classes that are used for these classifications are different. Examples of separa- 
tions of complexity classes are the hierarchy theorems [30,53,8,52] which show 
that more of the same kind of resource enables a Turing machine to solve more 
complicated problems. E.g., the class PSPACE of problems that can be solved 
with polynomial space is strictly larger than the class LOGSPACE of problems 
that can be solved with logarithmic space. In combination with the concept of 
hardness one can conclude lower bounds from these results. E.g., because the 
evaluation of quantified Boolean formulas is complete for PSPACE, such for- 
mulas can, in general not be evaluated with logarithmic space. Other separation 
results show that in nondeterministic time T, Turing machines can solve more 
problems than in deterministic time T [41] and that in space S a Turing ma- 
chine can compute more than in time S [31]. The proofs of all the mentioned 
results combine simulation and diagonalization methods adopted from recursion 
theory. In particular, they give no general methods for proving precise lower 
bounds for concrete computational problems. Furthermore, it has been noticed 
early by Baker et al. [5], proved by so-called relativization, that these methods 
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are not suitable to separate, e.g., P from NP. This insight has directed the at- 
tempts to prove lower bounds to concrete computational problems on restricted 
computational models. Such models include decision trees, branching programs, 
and Boolean circuits. 

A different approach is taken by descriptive complexity. The idea of descriptive 
complexity is to measure the syntaetie complexity of formulas that express a cer- 
tain property instead of its computational complexity. This allows a “machine- 
independent” view at the complexity of problems and it makes the adaption of 
proof methods of mathematical logic to complexity questions possible. A fun- 
damental result in that direction is Fayin’ s Theorem [17] which states that a 
property is in the class NP if and only if it can be expressed by an existential 
second-order formula.^ Hence, a proof that the class of problems which can be 
expressed by such formulas is not closed under complementation would yield 
NP ^ coNP and therefore P ^ NP. As a first step in that direction Fagin 
showed that the class of problems that can be expressed by a monadie existen- 
tial second-order formula is not closed under complementation [18]. 

These two results of Fagin are the starting points for the two lines of research 
which we are going to sketch in this paper. 

(1) The first line characterizes subclasses of NP by fragments of existential 
second order logic. In our context, the aim is to find characterizations with 
as simple as possible fragments of ESO to facilitate non-expressibility proofs. 
We are going to concentrate here on non-deterministic linear time classes. 

(2) The second line tries to improve our ability to prove non-expressibility results 
to extensions of monadic existential second-order logic. The objective is to 
prove non-expressibility results for a logic that is strong enough to capture 
real computation. Here we focus on extensions of monadic existential second- 
order logic by built-in relations on the one hand and on fragments of binary 
existential second-order logic on the other hand. 

For a general introduction to descriptive complexity we refer to the textbooks 
of Immerman and Ebbinghaus, Flum [32,14]. 

The paper is organized as follows. In Section 2 we give basic definitions and 
introduce some notation. In Section 3 we review the mentioned results of Fagin 
in more detail. In section 4 we give a survey of logical characterizations of linear 
time classes and in Section 5 we describe some related non-expressibility results. 
We give a short conclusion in Section 6. 

1 would like to thank Nicole Schweikardt for helping me to prepare this manu- 
script and an anonymous referee for many useful suggestions. 

2 Definitions and Notations 
2.1 Finite Structures 

Whereas computational complexity usually talks about sets of strings, descrip- 
tive complexity uses finite structures. One benefit of this approach is that finite 

Precise definitions are given in Section 2. 
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structures allow in many cases a more natural representation of problems. For 
example it allows to represent a graph G by the set V of its vertices together 
with a binary relation E over V, which mirrors its adjacency matrix. In general, 
a finite structure consists of 

— a universe U , i.e., a set of basic objects, 

— some constants, i.e., elements from U, 

— some relations over U , and 

— some fnnctions over U . 

We will nsually assnme that U is of the form {1, . . . , n} for some natural number 
n. We denote with | the size of the universe of finite structure A. Usually we are 
only interested in sets of structures of the same kind, i.e. with the same number 
and arity of relations, functions and constants. This is formalized by the notion of 
a signature. A signature (or vocabulary) r = (i?i, . . . , i?fe, /i, . . . , fi,c\, . . . , Cm) 
is a tuple of relation symbols, function symbols and constant symbols, where 
for each relation symbol and function symbol there is an associated arity a{Ri) 
{a{fi) resp.). For example, the signature of the before mentioned representation 
of graphs is {E), where U is a binary relation symbol. 

We can also represent strings as finite structures, as follows.^ The universe of 
a string w = W\---Wn over an alphabet S consist of the set {!,... ,n} of 
positions in w. The letters in w are represented by unary relations Q^, one for 
each a G E, such that i G Qa iff Wi = a. As we will see, a logical formula is, in 
general, only allowed to refer to w via the relations, functions and constants in 
its representation. In particular, unless otherwise stated, they are not allowed to 
use any “arithmetical knowledge” about the natural numbers (like their order or 
how they are added) . Therefore we need an explicit information about the order 
of the elements of the universe as part of the finite structure representation 
of w. There are various possibilities, e.g. by a successor relation, a successor 
function or a linear order relation. As an example, a signature for strings over 
alphabet {a,b,c} would be (succ, min, max, Qa, Qb, <5c), where succ is a binary 
relation symbol, min and max are constant symbols and Qa, Qb and Qc are 
unary relation symbols. The string abcab would then be represented by the finite 
structure ({1, ... ,5}, succ = {(1, 2), (2, 3), (3,4), (4, 5)}, min = 1, max = 5, Qa = 
{1,4},Q„={2,5},Q, = {3}). 

2.2 Formulas 

We presume a basic knowledge about syntax and semantics of first-order formu- 
las. An example of a first-order formula ip is \/x \fy [succ(a:, y) A Qa[x)] — ?■ Qb(y) 
which holds in a string if and only if in this string every a is followed by a b. In 
particular, it holds in the example string abcab. We write w |= to express the 
fact that a formula p holds in a string w.^ 

^ In Section 4 we will see another way to represent strings. 

^ This notation is a bit sloppy, w is meant here as an abbreviation for the finite 
structure exhibited above. We are going to freely use this kind of identification of a 
string and its finite structure 



12 



Thomas Schwentick 



Second-order logic allows the (existential or universal) quantification over rela- 
tions. Existential second-order logic (ESO) consists of all second-order formulas 
in prenex form^ in which second-order quantification is only existential. As an 
example, the formula 

3X (3a:, y X{x) h ^X{y)) A (Va:, y [X{x) A ~^X{y)] ~^E{x, y)) 

expresses that a graph is not connected. Intuitively, the formula says that the 
vertices of the graph can be coloured with two colours, say blue and red, such 
that there are no edges between a blue and a red vertex, but there exists at least 
one vertex of each colour. As in this formula, we use uppercase letters to denote 
relational variables and lowercase letters to denote individual variables. This for- 
mula has a particular form, as X is a unary relation symbol. ESO formulas that 
only quantify over unary relations are called monadic ESO (MESO) formulas. 
We say that a formula (p characterizes a set L of finite structures if, for every 
structure A (of the appropriate signature) it holds that A\= ip <;=> A £ L. 

3 Descriptive Complexity 

In this section we are going to have a closer look at the two theorems of Fagin that 
were already mentioned in the introduction. We start with the characterization 
of NP. 

Theorem 1 (Fagin 1974). A set of strings L is in NP if and only if L can he 
characterized by an existential second-order formula. 

Proof (Sketch). We only give the main ideas of the proof. Let us first assume 
that L is characterized by an ESO formula = 3i?i, . . . , RkP, where p is first- 
order. Let w = wi ■ ■ ■ Wn be a string. We can identify /-tuples t over the uni- 
verse {!,... ,n} with natural numbers in {!,... ,n^} in a natural way. E.g., 
we can define t{j) to be the j-th tuple in the lexicographic order of all l- 
tuples over {!,..., n}. In particular /(I) = (!,...,!), t{2) = (1,...,2) and 
t{n^) = (n , ... ,n). We can represent an /-ary relation R over {!,... ,n} by a 
binary string v of length by setting Vj = 1 iff t{j) G R. Now it is easy to see 
that a non-deterministic Turing machine can evaluate d? by first guessing (strings 
that represent) relations i?i, . . . , Rk and then evaluating the first-order formula 
p on the structure {w,Ri, . . . ,Rk). The former involves guessing 0{kn^) bits, 
if / is the maximum arity of a relation Ri and the evaluation of a first-order 
formula with quantifier-depth d can be done in time 0{n^) (and d is fixed for 
L), so we can conclude that L G NP. 

Now let L G NP and M be a non-deterministic Turing machine which accepts 
L in time < n^. We assume w.l.o.g. that M is a one-tape Turing machine that 
is sufficiently normalized. We think of the start configuration of M as a tuple 
{qo, l,fo)j where vq is a string of length that consists of the input string w 

In particular, all second-order quantifiers are in front of everything else. 
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padded by blank symbols, hence vq = wU" qq is the initial state of M and 
the 1 indicates that the head of M is at the first position of vq. In general a 
configuration (7 of M consists of a tuple {q,p,v), where g is a state of M, v 
is a string of length and p is a position in i.e., a number in {1, . . . ,n^}. 
We say that configuration C is a successor of configuration C, if C describes a 
situation which can be obtained from C by one step of M. Note that, as M is 
non-deterministic, there might exist more than one successor configurations of a 
configuration. As the behaviour of Turing machines is very local, the strings v, v' 
of two successive configurations can only differ in one position. Furthermore it is 
easy to test, given M, whether a configuration C is a successor of a configuration 

C. 

A whole computation of M can now be viewed as a sequence of configura- 
tions. The main idea of the proof is to encode such sequences into relations over 
{!,... ,n}. Let Q be the set of states of M and let F be the tape alphabet of 
M. We use the following relations. 

— For every a G F, a 2&-ary relation R^r with the intension (*,j) G Ra if in 
the *-th configuration of the computation there is a cr at position j. Here we 
write i for the fc-tuple representation of i. 

— For every q G a k-aiy relation Rq with the intension (*) G Rq if in the 
*-th configuration of the computation M is in state q. 

— A 2fc-ary relation Rh with the intension (*, j) G Ru if in the *-th configuration 
of the computation the head of M is at position j. 

It remains to show that there is a first-order formula p which holds on 
{w,{Ra)cr^E,[Rq)q^Q,Rh) if and Only if the relations represent a correct and 
accepting computation of M on input w. This is the more technical part of the 
proof which we omit. In the end we get a formula 3(i?o-)o.gi:, {Rq)q^Q, RhP which 
characterizes L. 

To be able to discuss the proof of the second theorem of Fagin we need some 
preparation. Ehrenfeucht games [21,15] are two person games on pairs of (in 
our context finite) structures. The two players are often named as the spoiler 
and the duplicator. Intuitively, in the game on structures A and B, the spoiler 
tries to show that A and B are different, whereas the duplicator tries to make 
them look alike. The game consists of a number k of rounds. In each round i 
the spoiler selects first an element Oi of A or an element hi of B. The duplicator 
then answers by correspondingly selecting an element hi of B or Oi of A. In the 
end, the duplicator has won the game if the substructures of A and B that are 
induced by the selected vertices are isomorphic under the mapping which maps 
Oi to hi, for every i < k^ otherwise the spoiler has won. The usefulness of such 
games is connected with the following result. 

Theorem 2 (Ehrenfeucht 61, Praisse 54). A set L of structures can be 
characterized by a first-order formula of quantifier- depth k if and only if, for 
every A G L and every B ^ L, the spoiler has a winning strategy in the k-round 
Ehrenfeucht game on A and B. 
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There is not only a correspondence between the number of rounds in the game 
and the quantifier depth of the respective formula. In a precise way, rounds in 
which the spoiler chooses a vertex in A correspond to existential quantifiers and 
rounds in which he chooses a vertex in B correspond to universal quantifiers. For 
details, see [14]. As we want to prove non-expressibility results, we are especially 
interested in the following easy consequence of this theorem. If, for every fc, there 
are structures A G L and B ^ L such that the duplicator has a winning strategy 
in the fc-round Ehrenfeucht game on A and B then L cannot be characterized 
by a first-order formula. 

There are a lot of variants of Ehrenfeucht games for all kinds of logics. We 
are going to consider Ehrenfeucht games for fragments of existential second- 
order logics. It is straightforward to extend the (first-order) Ehrenfeucht game 
to such logics. E.g., to get a game for monadic ESO formulas that quantify over 
I relations, we would simply extend the game by an additional round in the 
beginning, in which the spoiler selects I unary relations of A and the duplicator 
selects I unary relations of B.^ Unfortunately this game is hard to win for the 
duplicator. In fact, the original proof [18] of Theorem 4 is quite involved. It was 
a major breakthrough when Ajtai and Fagin [2] invented a game that is much 
easier to play for the duplicator, as she is allowed to choose B after the duplicator 
has coloured A. It came as a surprise, but is actually not hard to prove, that this 
game still characterizes monadic ESO. The rules of the {I, k)- Ajtai- Fagin game 
on a set L of structures are as follows. 

— The duplicator first selects a structure A G L. 

— The spoiler colours it with I colours. 

— The duplicator selects a structure B ^ L and colours it with I colours. 

— Finally they play a k round (first-order) Ehrenfeucht game on the two 
coloured structures. 



Theorem 3 (Ajtai, Fagin 90). A set L of struetures can he characterized by 
a monadic existential second-order formula if and only if, for some I and k, the 
spoiler has a winning strategy in the (I, k)- Ajtai- Fagin game on L. 

The invention of the Ajtai-Fagin game did not only lead to proofs of extensions 
of Fagin’s non-expressibility theorem but actually simplified the proof of the 
theorem itself significantly. We are now prepared to state it and give a sketch of 
its proof. 

Theorem 4. The set of undirected, connected graphs cannot he characterized by 
a monadic existential second- order formula. 

® These I unary relations associate an Z-tuple with every vertex v. There are 2* such 
tuples. It is often more convenient to think of these tuples as 2* colours. In this 
view, each element has one and only one colour. We adopt this view in the following 
considerations. Henceforth, I denotes the number of colours, which represent logZ 
unary relations. 
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Proof (Sketch). The presentation follows essentially [20]. It is sufficient to show 
that, for every I and k, the duplicator has a winning strategy in the (I, &)-Ajtai- 
Fagin game on the class L of connected graphs. Let I and k be given. We write p 
for 2^ + 2. We choose n large enough such that in every sequence of n elements 
that are coloured with I different colours there must exist 2 disjoint subsequences 
of length 2p that are coloured identically. A straightforward calculation shows 
that n = 2p{l'^P + 1) is sufficient for this purpose. 

Let G be the graph with vertex set {!,... ,n} and edges between i and * + 1, 
for each i G {!,... ,n — 1}, and between n and 1. G is a cycle, in particular it 
is connected. Let G be coloured by the spoiler with I colours. As n was chosen 
appropriately, there are 2 disjoint intervals starting at vertices, say r + 1 and 
s + 1, such that, w.l.o.g. r + 2p < s, s + 2p < n and, for every i, i G {1, . . . , 2p} 
the vertices r + i and s + * have the same colour. The duplicator chooses a graph 
G' which is almost the same as G, in particular, all vertices are coloured in the 
same way, but instead of the edges {r + p,r + p + 1) and (s + p, s + p + 1) it has 
edges {s + p,r + p + 1) and (r + p, s + p + 1). As Figure 5 illustrates, G' is not 
connected. 



r+1 r+p r+p+1 




r+2p 




s + 1 



r+1 r+p r+p+1 r+2p 




s+2p s+p+1 s+p s + 1 



Fig. 1. The graphs G and G'. Colours are indicated by the different shapes of 
the vertices. 



It is now straightforward, by using either the Hanf method [20] or the gap method 
[48], to prove that the duplicator has a winning strategy for the &-round first- 
order game on the two coloured structures. 

— The Hanf method can be applied because in both graphs the same p-neigh- 
bourhoods occur with the same frequency. Here, a p-neighbourhood is a 
subgraph which is induced by all vertices that have distance < p from some 
vertex v. 
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— The gap method can be applied as follows. Let us call the subgraphs of G 
and G' that are induced by the vertices r+p,r + p+ l,s+p,s+p+l the 
inner subgraphs and the subgraphs that are induced by all vertices except 
{s+1, . . . , s+2p} and {r+1, . . . , r+2p} the outer subgraphs. In the beginning 
of the game the inner subgraphs as well as the outer subgraphs are isomorphic 
and their distance is p — 1 > 2^. During the game the inner and the outer 
graph may be extended by the vertices that are chosen by the spoiler and 
the duplicator. The proof now relies on the fact that the duplicator is able to 
maintain a gap (of size > 2®, when there are still i rounds to play) between 
the inner and the outer subgraph, while still keeping them isomorphic. 

The two theorems of Fagin give an upper and a lower bound for a logic with 
the two desired properties, namely a logic which is strong enough to capture a 
meaningful complexity class and which is weak enough to allow non-expressibility 
results. The rest of the paper deals with the process of making the gap between 
these two bounds, ESO logic and monadic ESO logic, smaller. 



4 Linear Time 

In the definition of the main complexity classes like (deterministic or non- 
deterministic) polynomial time or polynomial space, the choice of the underlying 
machine model is not very crucial. The definition does not depend on whether one 
chooses (1-tape or multi-tape or multi-dimensional) Turing machines or RAMs. 
As long as the cost associated with a computation is reasonable, all definitions 
define the same classes (with the notable exception of the non-reasonable unit- 
cost model for RAMs that are allowed to multiply numbers) . Linear time, on the 
other hand, is a much more delicate notion. For instance, as in algorithm design, 
it is very sensitive to the representation of inputs and to changes of the compu- 
tational model. It is hard to define a robust notion of linear time. Some authors 
tried to circumvent this problem by considering so-called quasi-linear time, i.e., 
time 0(npolylog(n)) [44,29,22]. But there is even no general agreement whether 
linear time on Turing machines is too weak or too powerful [42] . 

In a series of articles [25,24,26] Grandjean invented a very reasonable formal- 
ization of (deterministic as well as non-deterministic) linear time. Before we get 
into the details of Grandjean’s definitions let us first have a closer look at why 
linear time on Turing machines (DTIME(n)) has little to do with linear time 
algorithms on, say, graphs. First of all, such algorithms rely usually on more 
sophisticated representations of the input graphs, like adjacency lists. Such lists 
are basically pointer structures, and the algorithms usually make excessive use 
of “pointer jumping” . As the movements of the heads of a Turing machine are 
only local, it is hard to see how such “pointer jumping” algorithms could be 
simulated on a Turing machine in linear time. On the other hand, Random Ac- 
cess Machines are obviously very well suited to perform such algorithms. The 
definition of Grandjean’s linear time classes is based on the idea of representing 
strings by pointer structures in analogy to efficient graph representations. In a 
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first step a string w = wi ■ ■ ■ Wn of length n is partitioned into m := [2n/ logn] 
pieces of length ^ log n. Then such a partitioned string is encoded as a unary 
function / : {1, . . . , m} — ?■ {0, . . . , [Vr^} by defining f{i) to be the number 
which is encoded® by the i-th piece of the (partitioned) string w. A computa- 
tion is linear time if it needs only a linear number of steps in m. The second 
characteristic feature of Grandjean’s model is that during a computation only 
numbers of value 0{m) are allowed.^ The model is quite robust with respect to 
arithmetical operations. We can choose addition and subtraction as the basic 
arithmetical operations. Allowing multiplication would not change the compu- 
tational power (in our context). For more details of Grandjean’s RAM model we 
refer to [26]. With DLIN and NLIN we denote the class of problems that can 
be computed on such a deterministic (non-deterministic, resp.) RAM in linear 
time. Both classes are quite robust and seem to be very reasonable formalizations 
of the intuitive notion of linear time. 

Figure 7 shows the known inclusions between DLIN, NLIN and the linear time 
classes for (multi-tape) Turing machines, DTIME(u) and NTIME(n). 



NLIN 



DLIN 



NTIME(n) 



DTIME(n) 



Fig. 2. The known inclusions between the considered linear time classes. 



It comes as no surprise that we need a non-standard representation of strings as 
finite structures in order to get logical characterizations of NLIN and DLIN. 
A binary string w = wi ■ ■ ■ Wn is represented as a finite structure with universe 
{0, . . . ,to}, where m = [2n/logu], the natural successor function succ and a 
unary function where gw{i) is the number that is encoded by the i-th piece 
of w, as before. With this representation in mind, NLIN can be characterized 
as follows. 

Theorem 5. A set of strings is in NLIN if and only if it is characterized hy a 
formula 

3/i,... Jk^xip, 

where the fi are unary function symbols, x is one single individual variable and 
ip is a quantifier-free formula. 

® via the dyadic encoding 0 • • • 0 ^ 0, 0 • • • 1 ^ 1, and so on. 

Although this is not so essential in the non-deterministic case. Here, allowing poly- 
nomial values makes no difference. 
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Proof (Sketch). Before we sketch the proof, we have a closer look at the under- 
lying RAM model. For our purposes, a RAM has two accumulators A and B 
and a sequence (i?i)i>o of registers. The registers Ri can be accessed via the 
accumulators by instructions Ra ■= B and B := Ra which write the value of 
B into the register whose number is in A and reads the value of the register 
whose number is in A into B, respectively. We assume for simplicity that during 
a computation only numbers < m occur, hence only registers in {i? 0 i • ■ • ^Rm} 
are ever used. It can be shown that the defined classes do not change, if we 
allow a fixed number of sequences of registers instead of only one such sequence. 
Nondeterminism is introduced to this model by allowing to guess numbers (of 
size < m). 

The if-part of the proof is relatively straightforward. The RAM guesses unary 
functions /i , . . . , fk by using k sequences of registers and verifies for every i G 
{0, . . . , m\ that if holds. As, for each *, the evaluation of ip can be done in 
constant time this is a (non-deterministic) linear time computation. It should be 
noted that this part of the proof is quite analogous to the respective part of the 
proof of Theorem 1. 

The only-if-part needs some special care. Fagin’s proof made use of guessing a 
quadratic amount of information (namely 2fc-ary relations for n^-time computa- 
tions). Here, we have to be a bit more economical. Let M be a non-deterministic 
RAM that decides a language L in linear time. A computation of M is encoded 
into the following functions with the indicated intended meaning.® 

— fA[i) is the value of accumulator A after step i. 

— fsif) is the value of accumulator B after step i. 

— fi{i) is the number of the instruction that is performed in step i. 

— f^{i) is the value of register Rfj^{i) before step i. 

— f^ (i) is the value of register Rf^ii) after step i. 

To verify that such functions encode a valid computation, the quantifier-free 
formula ip has to test, among other things, that /^, and are consistent. 
If i < j, fA(i) = fA[j) and /_a(s) ^ A(*), for every s, i < s < j, then it must 
hold f^{i) = f^{j)- Intuitively, the formula must be able to find the matching 
i for a given j, i.e., the last time step i at which A had the same value as in 
step j (unless j is the first such time step, which can easily be detected, and 
which means that f^{j) has to be gw{fA{j)), the respective input value). A 
quantifier-free formula surely cannot do this. But it can be done by guessing 
another function /; which encodes the lexicographic order on all pairs (/a(j), j). 
More precisely, /;(0) is the j for which (/A(j)i j) is maximal in the lexicographic 
order of such pairs, /;(!) is the second pair, and so on. Let // denote the inverse 
of /;. Now, for each j, /;(succ(//(j))) is the matching i. By guessing some more 
unary functions the arithmetic operations can be verified, too. For the details of 
the proof we refer to [27]. 



Of course this description works only if the computation lasts less than m steps. The 
general case is a straightforward extension. 
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This result does not only give a surprisingly clean characterization of the NLIN, 
thereby contributing to the robustness of this class, it also paves the way for a 
concrete lower bound result: We consider pairs (A, fc), where A is the encod- 
ing of a finite automaton, in which the specification of the transition function 
Sa is possibly incomplete. Let RISA® consists of all pairs {A, k) such that Sa 
can be extended in such a way that the resulting automaton has an equivalent 
automaton with at most k states. 

Theorem 6 (Grandjean 88). 

RISA ^ DTIME(n) 

Proof (Sketch). The theorem is implied by the two following facts. 

— RISA is complete for NLIN under DTIME(u) reductions [25]. 

- DTIME(u) C NTIME(u) C NLIN [41,25]. 

There are several refinements of this result. Durand and Ranaivoson [13] show 
that instead of unary functions one can quantify over one single binary relation 
of bounded outdegree. Olive [40] shows that the quantifier-free formula (p can 
be normalized strongly. In fact, it is enough to consider formulas of the form 
f\ti{x) = t[{x), where the U and t' are terms over {succ, /i,... ,/fe}. Grand- 

i 

jean and Olive [27] prove that every set of strings in NLIN can be characterized 
by a monadic ESO formula in the presence of a built-in addition. For the def- 
inition of expressibility in the presence of built-in relations we refer to Section 
5. Schwentick [49] gives algebraic and logical characterizations for DLIN, which 
are more complicated than the characterization of NLIN. In particular, it is 
not clear how they could be used to prove lower bound results. Grandjean and 
Schwentick [28] give simpler characterizations of DLIN and a natural problem 
which is complete for this class under DTIME(n) reductions. 

We now turn to logical characterizations of linear time on Turing machines. As 
will become apparent in the next section, the techniques that are available for 
proving non-expressibility results seem not to be suitable for the formulas that 
are used in the characterization of NLIN. This is because the unrestricted choice 
of unary functions allows the spoiler to change the topology of the given structure 
strongly. As we want to close the gap between logics that capture complexity 
classes and logics that allow non-expressibility results, we go one step further 
and consider linear time on Turing machines. 

It was already shown by Lynch in [36,38] that NTIME(u^) is captured by ESO 
logic, in which quantification is restricted to fc-ary relations (fc-ary ESO, for 
short) and that NTIME(u) is captured by monadic ESO logic with addition. 

® RISA stands for Reduction of incompletely specified automata. 

In the original proof it was shown that RISA is hard for NTIME(n) under 
DTIME(n) reductions [23]. 
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That a class is captured by a logic shall mean that every set in the class is 
characterized by a formula in the logic but not necessarily vice versa. 

In [35] Lautemann et al. show that NTIME(u) can be characterized in a sim- 
ilar way as NLIN, by restricting the shape of the quantified functions. In this 
characterization strings are represented by finite structures in the straightfor- 
ward way that was described in Section 2. Let us call a unary function / on 
{1, ... ,n\ decreasing, if /(I) = 1 and /(*) < i, for every i > 1, and non-crossing, 
if /(*) <j<i implies /(*) < f{j) < i. 

Theorem 7. A set L of strings is in NTIME(n) if and only if it can be char- 
acterized by a formula of the form 

3/i,... Jk^xip, 



where 

— the fi are unary function symbols, 

— ip is quantifier- free, 

— the quantification of functions is restricted to non-crossing, decreasing func- 
tions, and 

— in p it is not allowed that two different function symbols ft, fj occur in the 
same equation. 

Proof (Sketch). The only-if part makes use of a characterization of Turing ma- 
chine computations by Book and Greibach [6] . They show that a set of strings is 
in NTIME (n) if and only if it can be recognized by a Turing machine M with 
the following properties. 

— M has a read-only input-tape. Furthermore, in step i the head of the input 
tape is at position i.^^ 

— M has three additional pushdown tapes. 

— On inputs of length n M makes exactly n steps. 

The movements of M on a pushdown tape can be encoded by a unary function 
/. For each j G {1, . . . ,n}, f{j) is the time step at which the top entry of the 
pushdown at step j, was pushed. Consequently, /(/(j)) is the time the second 
entry was pushed and so forth. It follows that every set in NTIME (u) can be 
characterized by a formula in which only 3 functions (plus some unary relations) 
are quantified. Furthermore, it is possible to restrict the fi such that at most 2 
elements of the universe have the same function value. 

For the if- part the crucial observation is that, on the other hand, a Turing ma- 
chine can guess a non-crossing, decreasing function with the help of a pushdown 
tape which has, at step j, from top to bottom, the entries /(j), /(/(j)) and so 
forth. For details we refer to [35]. 



11 



Such a device is called an online tape. 
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The proof shows in particular that linear time on non-deterministic Turing ma- 
chines with an on-line input tape and I pushdown tapes can be characterized by 
formulas of the type 



where the Ri are unary relation symbols. Maass et al. [39] have shown that 
with 3 pushdown tapes such machines are more powerful than with 2 pushdown 
tapes. Furthermore, with 2 pushdown tapes they have more power than with 1 
pushdown tape (i.e., pushdown automata). Hence, by restricting the number of 
quantified functions, we get a strict three-level hierarchy whose levels are induced 
by one function, two functions and at least three functions, respectively. 

There is a natural candidate for the separation between NTIME(n) and NLIN. 
Let U = {ui,... ,Un) and V = (ui,... ,Vm) denote lists of 0-1-strings. Let 
CHECKSORT consist of all pairs {U, V) in which V contains exactly the same 
strings as but where V is sorted with respect to the lexigraphical order. It 
can be shown that CHECKSORT is in NTIME(n) if and only if NTIME(n) = 
NLIN. This follows from the facts that CHECKSORT is in NLIN (even in 
DLIN) and that every set in NLIN can be recognized in linear time by a non- 
deterministic Turing-machine that is allowed to perform a constant number of 
sorting steps during its computation [25]. In a sorting step the strings that are 
written on a special sorting tape, separated by commas, are sorted in one step. 
In a recent paper Eiter et al. [16] considered fragments of ESO that are defined by 
restricting the first-order quantifier prefix of formulas. For a string Q G {3, V}* 
let ESO(Q) denote the set of ESO formulas in which the first-order prefix is of 
the form Q. They obtain the following classification. 

— If Q is in 3*V then ESO(Q) contains only star-free regular languages. 

— li Q contains V3 or W and is contained in 3*V3* or 3*W then ESO((5) can 
characterize exactly all regular languages. 

— If Q contains WV, V3V or W3 then ESO(Q) can characterize a certain NP- 
complete language. As one can show that in each of these logics it can be 
tested whether a given binary relation is the graph of a unary function, it 
turns out that these logics capture NTIME(n) (even NLIN). 

5 Nonexpressibility 

In this section we are going to survey non-expressibility results for two kinds 
of sublogics of ESO: monadic ESO with built-in relations and sublogics of ESO 
that allow the quantification of unary functions. 



5.1 Monadic ESO 

First of all we have to define the notion of built-in relations. In this subsection, 
the universe of a structure will always be of the form {!,... , n\. Let (i?n)n>i be a 
sequence of relations, such that R„, is a relation over {!,... , n} (and all relations 
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are of the same arity) . We say that a set L of finite structures is characterized by 
a formula (p in the presence of built-in relations (i?n)n>i; if for every structure 
A (of the appropriate signature) it holds (A, |= p A G L. 

Built-in relations, especially linear orders or arithmetic relations, play a crucial 
role in many characterizations of complexity classes. As an example, consider 
the formula 

3A A(min) A A(max) A Vx, y[succ(a;, y) A X{x)\ -^X{y), 

which expresses that a graph has an odd number of vertices. Intuitively, the 
formula says that there is a colouring of the vertices with two colours, say blue 
{X) and red (~'Ai), that is alternating with respect to the successor relation 
and which colours the minimal and the maximal vertex blue. Here, the built-in 
relation is a successor relation. 

For strings it follows from Biichi’s Theorem [7] that monadic ESO with built-in 
linear orders can characterize exactly all regular languages. On the other hand, 
we have mentioned before that MESO with built-in addition captures NLIN 
[27]. 

There is a whole series of papers that show non-expressibility of graph connec- 
tivity for extensions of MESO logic by various kinds of built-in relations. The 
following table summarizes some of these results. 



successor relations 


de Rougemont [10] 


relations of degree (logn)°’^'^^ 


Fagin, Stockmeyer, Vardi [20] 


linear order 


Schwentick [45] 


relations of degree 


Schwentick [47] 


trees 


Kreidler, Seese [33] 


n -f edges 


Kreidler, Seese [33] 


planar graphs 


Kreidler Seese [34] 


Ai-free 


Kreidler, Seese [34] 



Table 1. A list of built-in relations that do not enable MESO logic to express 
graph connectivity. 

Most of these results can be essentially proved by adapting Fagin’s idea of “one 
cycle vs. two cycles”. As a first step, let us consider built-in relations {Rn)n>i 
in which one can find many points that are far from each other. More precisely, 
let us call built-in relations separated, if they have the following property. 

For each m and d there exists an n such that there is a subset V C 
{!,... ,n} of size at least m such that two different elements of V have 

In the context of well-structured built-in relations, like successor, linear order or 
addition, a different point of view is convenient. Instead of fixing one built-in relation 
for each structure size and varying the graphs, one can think of fixing a graph and 
varying all possible built-in relations, e.g., all linear orders. 
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at least distance d in the finite structure with universe ,n\ and 

the relation Rn-^^ 

If built-in relations (-Rn)n>i are separated they do not enable MESO to char- 
acterize Graph Connectivity. The recent results of Kreidler and Seese make use 
of the fact that this still holds, if (J?n)n>i become separated after deleting a 
constant number of elements. More precisely, call built-in relations (i?n)n>i k- 
separable, if they have the following property. 

For each m and d there exists an n such that there are sets V, S Q 
{!,... ,n} with \V\ = m and l^l = k, such that two different ele- 
ments of V have distance at least d in the finite structure with universe 
{!,... , n} — S' and the relation that is induced by on this universe. 

We call built-in relations separable^ if they are fc-separable, for some k. 

Theorem 8. Graph connectivity can not be expressed by monadic existential 
second-order formulas even in the presence of separable built-in relations. 

It is still open whether graph connectivity can be expressed by a MESO formula 
in the presence of addition. However, as this logic is at least as powerful as the 
unary function fragment of ESO [27], it can be shown that such formulas can 
express whether a graph has a connected component of size > n/logn. 

Ajtai and Fagin show that directed reachability cannot be expressed by a monadic 
ESO formula, even in the presence of several kinds of built-in relations [2]. Cos- 
madakis showed how non-expressibility results can be transfered to other prob- 
lems via suitable reductions [9] . For a generalization of these reductions we refer 
also to [46]. 

With the exception of linear orders all the built-in relations that are listed in 
Table 1 are in fact separable. Hence separable built-in relations are at the limit 
of our ability to prove non-expressibility results concerning monadic ESO. Let 
us call built-in relations strong, if they enable monadic ESO to capture NLIN 
and weak if they do not enable monadic ESO to express graph connectivity. It 
should be noted that strongness is concerned with strings whereas weakness is 
concerned with graphs. In [50] it was shown that the gap between weak and 
strong built-in relations is not very large. For instance, 

— for every e > 0, there are strong built-in relations of degree n^. 

— for every e > 0, there are strong built-in relations with n -\- n'^ edges. 

At the moment, very little is known about how to show the existence of a win- 
ning strategy for the duplicator on structures that are very dense. A notable 
exception is an article of Lynch in which he uses Ehrenfeucht games to prove 
non-expressibility results for first-order logic in the presence of a built-in addition 

Even if Rn is not binary the notion of distance can be defined by setting d{a, b) = 1, 
if a 7 ^ 6 and a and b occur in the same tuple of Rn and extending this definition in 
the obvious way. 
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[37]. By using similar methods as Lynch Ruhl showed very recently that first- 
order logic with addition and unary counting quantifiers is not able to express 
connectivity [43]. 

The effort to prove non-expressibility results for stronger and stronger extensions 
of monadic ESO has led to the development of many useful tools for dealing with 
Ehrenfeucht games. Besides the already mentioned Ajtai-Fagin game, there have 
been invented several ways to simplify the proof of the existence of a winning 
strategy for the duplicator in the first-order Ehrenfeucht game. We refer the 
interested reader to [20,4,45,51] and, for a survey to [19]. 

A new development in the area of monadic ESO was initiated by Ajtai et al. 
[3]. They consider various closures of monadic ESO, e.g., formulas that allow 
first-order quantification in front of existential monadic second-order quantifiers 
and they prove very nice separation results for some of the resulting logics. 



5.2 Unary Functions 

In the Ehrenfeucht game that is associated with monadic ESO logic the spoiler 
is not allowed to define new connections in the two structures. As we have seen 
in the last subsection, built-in relations that tie all parts of the structures close 
together make the Ehrenfeucht game difficult for the duplicator. This statement 
holds even more if the spoiler is allowed to choose such (non-unary) relations. 
Therefore it is no surprise that playing the Ehrenfeucht game for, say, binary 
ESO logic is hard and that there are only few non-expressibility results. The 
most important result here was given Ajtai [1] who showed that for each k there 
is a property that can be expressed by fc -|- 1-ary ESO formulas but not by 
&-ary ESO formulas. The separating set is, for every k, the set of all fc -|- 1- 
ary relations that contain an odd number of tuples. It is still open for which 
A: > 1 this separation holds for graphs, too. Ajtai’s result has also been used as a 
tool to separate subclasses of binary ESO. By restricting the relations that are 
quantified in binary ESO formulas Durand et al. investigated the fine structure 
of binary ESO [12]. They established, with respect to graphs, the following strict 
four level hierarchy. 

— binary relations, partial orders 

— unary functions, equivalence relations, linear orders, graphs of bounded out- 
degree 

— permutations, successor relations, graphs of bounded in- and out-degree 

— unary relations 

The separations between the first two levels as well as between the second and 
the third level used the mentioned results of Ajtai. 

Durand et al. showed that, by quantifying over two unary functions one can 
express more properties than with only one function [11]. 



Descriptive Complexity, Lower Bounds and Linear Time 



25 




Fig. 3. Logical characterizations of complexity classes by fragments of ESO logic 
(left diagram) and separations between sublogics of ESO (right diagram. The 
underlying structures are graphs (left) and strings (right). (UnF = unary Func- 
tions, NcF = non-crossing functions, (V) = 1 universal fo-quantifier) 



6 Conclusion 

Figure 3 summarizes some of the mentioned logical characterizations of com- 
plexity classes and non-expressibility results. 

We tried to demonstrate that descriptive complexity is able to characterize even 
fine-grained differences between complexity classes. Furthermore we wanted to 
point out that the logics that are used to characterize linear time complexity 
classes are not very different from several logics for which there have been non- 
expressibility proofs for concrete problems. Nevertheless, there is still a gap, 
originating in the different underlying representations of structures (strings for 
characterizations, graphs for non-expressibility results) on one hand, and in the 
fact that there seems to be a border between dense and non-dense structures 
that is hard to overcome. 

We conclude with two concrete open problems. 

- Is CHECKSORT in NTIME(n)? (DTIME(n)?) 

— Is graph connectivity expressible by MESO formulas in the presence of ad- 
dition? 
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ABSTRACT: Finite state machines have heen used to model a wide variety of sys- 
tems, including sequential circuits, and more recently, communication protocols. In 
testing problems we are given a system M, which we may test by providing inputs 
and observing the outputs produced. The goal is to design test sequences so that we 
can deduce desired information, such as the state of M, or whether M implements 
correctly a given specification machine S. In this paper we will discuss algorithmic 
work on basic testing problems for systems modeled by different types of finite state 
machines. 

1. Introduction 

Testing is an essential component of the software (and hardware) development 
cycle. Many control intensive systems are typically modeled by finite state machines. 
Examples include communication protocols in networks, switching features in tele- 
phony, and many others. Testing such systems is an important area that has attracted, 
and continues to attract, a lot of research and development activity both in industry 
and academia. 

In testing problems, we are given a reactive system M (the "Implementation 
Under Test"), i.e. a system which takes inputs and produces outputs in response. The 
problem is to generate appropriate tests to apply to M in order to infer some desired 
unknown information about the system, such as the structure or the state of M. For 
example, a fundamental problem is the conformance testing or fault detection prob- 
lem: Given a specification finite state machine S, test the implementation M (a "black 
box" observed through its input-output behavior) to check that it conforms to its spec- 
ification. For example, S could be a protocol standard to which the system M is 
required to conform. Or, S could be the model of a feature (either a high level 
requirement model or a more detailed design model), and we wish to check that the 
feature has been implemented correctly. 

The area of testing hnite state systems has quite an extensive literature, starting 
from the mid 50’s with Moore’s seminal paper on "gedanken experiments" [Mo56]. 
In this paper Moore set up the basic testing framework, posed a number of fundamen- 
tal problems (including for example the conformance testing and the machine and the 
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State identification problems), and defined corresponding test sequences that address 
these problems, such as homing, distinguishing, and checking sequences. The follow- 
ing years saw the active development of automata theory including a number of 
papers on these problems (see [Ko78] for a survey). Precise bounds and characteriza- 
tions were obtained for some of these sequences; yet others were not resolved until 
more recently, and some questions still remain open. 

The early work was motivated mainly by automata theory and circuits. After a 
period of reduced activity during the 70’s and early 80’s, the problems resurfaced 
again and were taken up by the protocols community, where a large number of papers 
has been published motivated mainly by conformance testing of communications pro- 
tocols. 

In this paper we will summarize some of the basic theory with emphasis on the 
algorithmic work. The literature in this area is quite extensive, so we will only touch 
on some of the results here. For a more detailed survey of much of the material we 
refer to [LY96a]. 

The rest of this paper is organized as follows. After introducing briefly in the 
next section some of the underlying definitions, we discuss in Section 3 a number of 
testing problems for deterministic finite state machines: we define different types of 
test sequences for various purposes, and summarize the results on their existence, 
length, and associated algorithms and complexity issues. In Section 4 we discuss 
some optimization problems related to conformance testing and coverage of FSM’s. 
Section 5 concerns Extended Finite State Machines (EFSM’s). Finite state machines 
are a useful model of the control portions of protocols at a high level of abstraction. 
At a more detailed level, it is useful in practice to augment FSM’s with variables, 
leading to an Extended Einite State Machine model, where transitions may depend on 
the values of variables and may modify the variables. In Section 6 we discuss some 
results on nonde termini Stic and probabilistic ESM’s, and in Section 7 we conclude. 

2. Preliminaries 

Einite state systems can usually be modeled by Mealy machines that produce 
outputs on their state transitions after receiving inputs. There is a variant (the Moore 
model) in which outputs are produced at the states instead of the transitions; the the- 
ory is essentially the same for the two models. 

Eormally, a deterministic (Mealy) finite state machine (FSM) consists of a finite 
set S of states, a (finite) input alphabet I, output alphabet O, a state transition function 
5: 5 X / — ^ 5, and an output function X: S x I ^ O. When the machine is in a current 
state s in 5 and receives an input a from I it moves to the next state specified by 
5(i, a) and produces an output given by X{s, a). Graphically, a FSM can be repre- 
sented by its state transition diagram, a labeled directed graph whose nodes corre- 
spond to the states, the edges correspond to the state transitions, and each edge is 
labeled with a pair alb, the input a and output b associated with the transition, (see 
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Figure 1 

Fig. 1). We denote the number of states, inputs, and outputs hy n = \S\ , p = |/| , and 
q = \0\ , respectively. 

The transition function 5 and output function X can be extended as usual to 
input strings and sets of states. We assume familiarity with the basic theory of FSM’s. 
In particular, recall that two states s, t are equivalent if for every input sequence x 
they produce the same output sequence, x) = Xit, x). The equivalence relation 
among states can be computed efficiently. Two machines M and M' are equivalent iff 
for every state in M there is a corresponding equivalent state in M', and vice versa. 
Two machines are isomorphic if they are identical except for a renaming of states. 
Given a machine, we can “merge” equivalent states and construct a minimized 
(reduced) machine which is equivalent to the given machine and no two states are 
equivalent. The minimized machine is unique up to isomorphism. 

In a testing problem we have a FSM M, about which we have only partial infor- 
mation, and wish to infer other missing information by providing inputs and observ- 
ing the produced outputs. The problem is to design a test that allows us to deduce the 
desired information. There are two kinds of tests: preset, in which the input test 
sequence is determined ahead of time before the experiment starts, and adaptive, in 
which the input is determined adaptively online, i.e. the observed output symbols 
influence subsequent input symbols. A preset test is simply an input string. An adap- 
tive test is formally a decision tree: a rooted tree whose internal nodes are labeled by 
input symbols, and the edges branching out of each node are labeled by distinct output 
symbols (see Fig. 2). Starting from the root of the tree, at each step of the test we 
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Figure 2 

input the symbol that labels the current node, and depending on the output produced 
we move to the appropriate child. At a leaf a decision is made concerning the missing 
information. 

In each testing problem the basic questions of interest are: 

Existence: Is it possible to design a suitable test that achieves the desired goal? 

Length: How long does it need to be? 

Algorithms and Complexity: How hard is it to determine whether the desired tests 
exist and to generate them? 

The above notion of testing is called sometimes active testing to indicate the 
fact that the tester probes actively the machine M under test. There is also a notion of 
passive testing, where the tester is simply a passive observer following passively both 
the inputs to the system M, generated independently by some other entity (i.e. by 
another component interacting with M), and the produced outputs. We will discuss 
mainly active testing, and touch briefly on passive testing at the end. 

3. Deterministic Machines 

In this section we summarize results on hve basic problems for deterministic 
FSMs. In the first three problems we have a complete description of the machine M 
under test (i.e. its state transition diagram), but we do not know in which state it is in, 
i.e. its initial state. The objective of the test is to identify or verify the state before or 
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after the test. In the other two problems, we do not know the structure of M; the 
objective of the test is to identify or verify the state transition diagram of M. 

3.1. State Identification and Verification Problems 

It is assumed that the machine M is minimized; otherwise the state can be 
determined only up to equivalence. 

Problem 1. Determine the hnal state of M after the test. 

An input sequence that solves this problem is called a homing sequence. Thus, 
a (preset) homing sequence is an input sequence x such that for any two states ^, f, if 
X{s, x) = X{t, x) then also 6{s, x) = 5(t, x). For example, a homing sequence for the 
FSM of Fig. 1 is ah: the output is either 11 or 00 or 01, and the corresponding final 
state is respectively s, r, p. The homing sequence problem was completely solved 
early on (see eg [Ko78]): Every minimized machine has a homing sequence of length 
at most n(n - l)/2, which can be constructed efficiently. Furthermore, this bound is 
optimal among both preset and adaptive sequences, i.e. there is a FSM whose shortest 
(preset or adaptive) homing sequence has length n{n - l)/2. 

In a homing sequence we do not know the final state until we perform the test 
and we observe the output. There is a related type of sequence called a synchronizing 
sequence (sometimes called also a reset sequence) where the hnal state is independent 
of the output. That is, x is a synchronizing sequence if 5(i, x) = d(t, x) for all states 
s, t. Not every minimized machine has such a sequence; for example, the FSM of Fig. 
1 does not have one. Given a FSM, it can be efficiently determined (in O(pn^) time) 
whether M has a synchronizing sequence; if it does, then one can always hnd effi- 
ciently such a sequence of length O(n^). On the other hand the best lower bound is 
Q.(n^), i.e. there are machines that have a synchronizing sequence and the shortest one 
has length Q,(n^). Closing this gap between the quadratic lower bound and the cubic 
upper bound is still an open problem. 

Problem 2. Determine the initial state of the machine before the test starts (State Iden- 
tihcation Problem). 

An input sequence that solves this problem is called a distinguishing sequence. 
Thus, a preset distinguishing sequence is an input sequence x such that any two states 
s, t have X(s, x) Xit, x). Not every minimized FSM has a preset or adaptive distin- 
guishing sequence. For example, the FSM of Fig. 1 does not have a preset distin- 
guishing sequence. To see this, note that such a sequence cannot start with a b 
because then we will never be able to tell whether the machine started at state p or r. 
Furthermore, after any sequence of a’s, the machine can be in one of the two states 
p, r (recall in a preset test we pick the input sequence without observing the output), 
thus we can never apply b for the same reason. However, a sequence of a’s cannot 
distinguish between the initial states p and r. Although distinguishing sequences 
were defined early on by Moore, and used extensively since then, their complexity 
was not addressed until [LY94]. It is shown there that determining whether a FSM has 
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a preset distinguishing sequence is a PSPACE-complete problem. Furthermore, there 
are machines that have such a sequence but the shortest preset distinguishing 
sequence is of exponential length. 

A FSM may not have a preset distinguishing sequence, but may have an adap- 
tive one. The FSM of Fig. 1 is such an example, with the adaptive distinguishing 
sequence shown in Fig. 2. The leaves of the tree are labelled by the initial states of 
the machine. There are however minimized machines that don’t have even an adap- 
tive distinguishing sequence. 

Sokolovskii showed that if there is an adaptive distinguishing sequence then 
there is one of quadratic length [So71]. His argument was nonconstructive (i.e. did 
not suggest an efficient algorithm). The complexity of the existence question was 
resolved in [LY94] which gave a polynomial time algorithm (more precisely, 
O(pnlogn)) that determines whether a given FSM has an adaptive distinguishing 
sequence. In this case one can construct such a sequence of length n{n - l)/2 (which 
is best possible in general) in time O(pn^). 

Problem 3. The machine is supposed to start at a particular initial state ig; verify that 
it is initially indeed in that state (State Verification Problem). 

An input sequence that solves this problem is called a UIO (Unique Input Out- 
put) sequence for sq- It is a sequence x that has the property that ^(^o, x) X(t, x) for 
any other state t. For a minimized FSM it is possible that all, some or none of the 
states have a UIO sequence. If the FSM has an adaptive distinguishing sequence then 
all its states have a UIO sequence; for example, a UIO sequence for the state s of the 
FSM of Fig. I is the sequence aab that labels the nodes on the path from the root to 
the leaf that decides that the initial state is s. Adaptiveness does not make a difference 
for the state verification problem. 

UIO sequences have been studied more recently in the protocols community, in 
particular there is a large number of papers following [SD88] that design conformance 
tests using UIO sequences. In general, for a given FSM it is a PSPACF-complete 
problem to determine whether a state has a UIO sequence; furthermore, even if there 
is one, it is possible that the shortest such sequence is of exponential length [LY94]. 

The sequences defined in this subsection are useful also for the following prob- 
lems. 



3.2. Machine Identification and Verification Problems 

In this setting we do not know the state diagram of the machine M that is being 

tested. 
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Problem 4. Determine the state diagram of M (Machine Identihcation Problem). 

Some assumptions need to be made on M to permit a solution to the problem. It 
is typically assumed that we know (an upper bound on) the number of states n and of 
course the input alphabet, and that M is minimized (otherwise we can only determine 
it up to equivalence) and is strongly connected. 

The machine identihcation problem was addressed by Moore in his original 
paper [Mo56]. He showed that under the above assumptions the machine M can be 
always identihed, and he gave an exponential algorithm for it. Furthermore, he 
showed that an exponential length test is in general required both for preset and adap- 
tive tests. 

Work in the machine learning community has obtained positive results on the 
machine identihcation problem in a more relaxed model, where one has recourse to an 
oracle (the "teacher") that answers equivalence queries, i.e. one can ask the oracle 
whether M is equivalent to a conjectured machine S, and receive either an affirmative 
answer or a counterexample input string x that distinguished the two machines. In 
this model, Angluin gave a deterministic polynomial time identihcation (learning 
algorithm) in the case of machines with a reset capability, i.e., an input symbol r that 
takes every state to the same initial state [An87]. Rivest and Schapire devised a ran- 
domized polynomial time algorithm in the absence of a reset [RS89]. 

Problem 5. We are given the complete description of a "specihcation" machine S\ 
determine whether M is equivalent to S (Machine Verihcation Problem). 

This is the basic testing problem, usually called the Conformance Testing or 
Fault Detection Problem. An input test sequence that solves it is called a checking 
sequence. Again certain assumptions need to be made to ensure a solution. Typical 
assumptions are that the specihcation machine S is strongly connected and mini- 
mized, and the input alphabet of M is the same as S. Note that if S has a reset symbol, 
then its transitions are included in establishing the strong connectivity of S. Further- 
more, most of the studies assume that M has the same number of states as 5; in this 
case, machine equivalence means isomorphism. This last assumption is equivalent to 
a fault model where there are two types of faults, output faults, i.e. transitions may 
produce the wrong output, and next state (or transfer) faults, i.e., transitions may go to 
the wrong next state. In general there may be an arbitrary number of such faults 
which can mask each other and make testing harder. 

Suppose we do not know the initial state. A checking experiment usually starts 
by applying a homing sequence (of S), after which we know the state of M (if it is 
correct). The rest of the test starts from this initial state sq. The implementation 
machine M passes the test if it produces the same output sequence as the specification 
machine S starting from ^o■ 

Output Faults. If the only possible faults are output faults, then we only need 
follow a transition tour of S starting from sq, i.e. a path that traverses all the 
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transitions of S. Such a tour has polynomial length and can be easily constructed, in 
fact the shortest tour can be constructed in polynomial time using a Chinese Postman 
algorithm [EJ73]. 

Output and Next State Faults. This is a harder problem due to the controllabil- 
ity and observability problems. If the specification machine S has a reset r which is 
"reliable", i.e. works correctly in the implementation machine M (maps every state to 
the same reset state), then there is a deterministic polynomial time algorithm that con- 
structs a checking sequence of length O(pn^) [Ch78, CVI89, Va73]. This bound is 
best possible, in the sense that there are specification machines S which require this 
length up to a constant factor. 

If there is no reset or there is a reset but it is not reliable, then the problem is 
harder. A number of algorithms have been proposed over the years, starting with 
Hennie’s work [He64]. They all have the same basic structure, and check the transi- 
tions of S one by one. Checking a transition from 5 to t with label alb involves (1) 
applying an input sequence that takes the machine to s, (2) applying input a (checking 
that M outputs b), and (3) applying a sequence to verify the state t. This segment may 
have to be repeated several times with different verihcation sequences for step (3). 
The various methods use different types of sequences to verify the endstate t of a tran- 
sition. Hennie used distinguishing sequences and proved that if S has a distinguishing 
sequence x *, then it has a checking sequence of length polynomial in x *. Although 
preset distinguishing sequences can be exponentially long, one may use just as well 
adaptive distinguishing sequences which can be assumed to be 0{n^) if they exist, 
yielding in this case checking sequences of length O(pn^). Several other papers start- 
ing with [SD88] use UIO sequences to verify the endstate t of transitions. As 
observed in [CVI89] however, the resulting test sequence does not necessarily guaran- 
tee that a machine M that passes this test is equivalent to S. 

In the general case, a randomized polynomial time algorithm is given in 
[YL95]. The algorithm constructs from the given FSM S a test sequence of polyno- 
mial length (namely, 0(pn^ + p'n^ log n) where p' = min(p, n)) which is a checking 
sequence with high probability. The probability is with respect to the random choices 
of the algorithm; the specification S is worst-case (not probabilistic). Random FSM’s 
are much better behaved and have in most cases checking sequence of length within 
polylog factors of the number pn of transitions. 

It remains an open problem to give a deterministic polynomial length construc- 
tion in general. An interesting combinatorial universal traversal problem related to 
this question is the following. Consider all directed graphs with n nodes and outde- 
gree d, i.e. every node has d outgoing arcs labeled 1, . . . , <7. Let us say that a sequence 
X over {1, . . ,d] is a blocking sequence if for every degree-ii graph G and starting 
node V, the path of G traversed by following the sequence x starting from v traverses 
all the arcs out of at least one node of G (one node is enough). A simple argument 
shows that a random sequence of polynomial length (in n and d) is a blocking 
sequence with high probability. Is there a deterministic construction? Such a 




Testing of Finite State Systems 



37 



construction would yield a deterministic polynomial construction of checking 
sequences for all FSM’s S. 

The above results extend to the case of implementation machines that may have 
extra states beyond those of 5; the length is multiplied by an exponential factor in the 
number of additional states and this factor is inherent [Va73]. The methods extend 
also to partially specified specification FSM’s (see [YL95] for the details). 

4. Optimizations 

The number and size of tests that one can run is determined by the type of test- 
ing and the test execution environment. For example, system tests run in a test lab 
typically involve setting up the equipment and take actual lab time, so one can only 
run a limited number of them. In any case, it is important to optimize the use of 
resources as far as possible and choose carefully tests to minimize their number and 
length while meeting a desired level of fault coverage. 

Checking sequences guarantee complete fault coverage for output and next state 
faults, but they are often too long for many practical applications and thus one has to 
lower the sights and use heuristic or less complete procedures. For example, in circuit 
testing, test sequences are generated based on specific fault models that significantly 
limit the possible faults [AS88]. An objective that is often used in both circuit testing 
and protocol testing is to generate a test sequence that exercise each transition of the 
specification machine at least once. This criterion corresponds to the output fault 
model. As we mentioned earlier, a shortest covering path (a Postman Tour) for a 
given (strongly connected) specification machine S can be computed in polynomial 
time [EJ73, NT81, UD86]. 

If one can afford longer sequences, then one would like to apply also some test- 
ing of the endstates of the transitions. Suppose that we have a "verification" sequence 
X, for each state t (for example a UIO sequence if it exists). An objective then might 
be to construct a path through the machine S which contains for each transition (s, t) 
of 5, a segment consisting of the transition followed by the verification sequence x, 
for f. For instance, one may seek an ordering of the transitions of S and then con- 
struct a path by taking each transition (s, t) in turn, transferring by a shortest path 
from the current state to the head state s of the transition, going to the tail t and then 
applying the verification sequence x,. Choosing the best ordering can be translated to 
the Rural Postman Problem. It is in general an NP-hard problem, but under some con- 
straints a polynomial time solution can be obtained for a class of communication pro- 
tocols [ADLU91]. In this method (that combines segments of the transitions in some 
order) the segments of the different transitions are disjoint. It is possible that a shorter 
test sequence can be obtained by overlapping the segments. There are several papers 
in the literature that propose heuristics for taking advantage of overlaps in order to 
reduce the total length of tests [CCK90, SL89, YU90]. 
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In the above discussion it is assumed that the specihcation machine S is 
strongly connected, thus it can be covered by one sequence. In many applications, S 
has a distinguished initial state sq and it can be considered strongly connected only by 
virtue of a reset (reinitialization). In these cases, when testers talk about a test 
sequence (or scenario) they refer to an execution that starts at the initial state. For 
example, in telephony, the initial state is the idle state and a scenario corresponds to 
the processing of a call (which many involve several call participants and features) 
from beginning to end. 

The primary concern in this setting is to minimize the number of tests, and the 
secondary concern is the length of the tests. Given a FSM S, we can compute in poly- 
nomial time a set of test sequences that (1) minimizes the number of tests, and (2) 
minimizes their total length (among all sets that minimize the number). The algorithm 
is useful in various contexts. It is being incorporated for example in uBET the Lwcent 
Behavior Engineering Toolset for requirement capture and analysis. 

Other coverage criteria are also of interest sometimes, where one may not be 
able to optimize in polynomial time both objectives, the number of tests and their 
length. We mention for example the case of node coverage. In this case, one can com- 
pute a set of test that minimizes the number, but minimizing the length is in general 
NP-hard. The hard case is that of strongly connected graphs; for acyclic graphs one 
can minimize both objectives, but in the strongly connected case the problem amounts 
to the directed TSP. 

5. Extended Finite State Machines 

In many applications it is convenient to use variables to model protocols and 
system designs at a more detailed level; the pure finite state machine model is not 
powerful enough to model in a succinct way systems at this level. Extended finite 
state machines, which are finite state machines extended with variables, are com- 
monly used either directly or more commonly through various related design specifi- 
cation languages such as SDL and VFSM. For instance, IEEE 802.2 LLC [ANSI89] 
is specified by 14 control states, a number of variables, and a set of transitions (pp. 
75-117). For example, a typical transition is (p. 96): 
current_state SETUP 
input ACK_TIMER_EXPIRED 
predicate S_FLAG = 1 
output CONNECT_CONFIRM 
action P_FLAG := 0; REMOTE_BUSY := 0 
next_state NORMAL 

In state SETUP and upon input ACK_TIMER_EXPIRED, if variable S_FLAG has 
value 1, then the machine outputs CONNECT_CONEIRM, sets variables P_ELAG 
and REMOTE_BUSY to 0, and moves to state NORMAL. 
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An extended finite state machine (EFSM) is a FSM augmented with a (hnite) 
set of variables (such as Boolean variables and counters). Every transition, say s^t, 
has an associated predicate P on the set of variables and an action A (transformation 
on the variable values), in addition to the input and output. The transition can take 
place if the system is at state s, the variable values satisfy the predicate P and the 
appropriate input is received. Then the appropriate output is produced, the variables 
are updated according to A and the system moves to state t. 

Given an EFSM M, each combination of a state and variable assignment repre- 
sents the global state of the system and is called a configuration. If the variables have 
bounded domains (for example Boolean variables), then there is a hnite number of 
conhgurations and thus an EFSM M is really a compact representation of an equiv- 
alent ordinary FSM M'. In principle one could test an EFSM M by expanding it to 
M' and applying one of the FSM methods. However, in practice the expanded FSM is 
often quite large due to the state explosion problem and hence the methods for ordi- 
nary FSM’s yield large tests and are not applicable. 

Thus, in this case we have to look for tests that achieve more modest goals. The 
most common goal is to ensure that each transition of the EFSM is executed at least 
once. Typically, there is a specihed initial conhguration mq of the EFSM (i.e. initial 
state and variable assignment) and the objective is to generate a minimum set of test 
sequences that is "complete" in the sense that it covers all the transitions of the EFSM. 
Unlike the case of ordinary FSM’s, this is not a computationally easy (polynomial) 
problem anymore. 

>From the given EFSM M and initial configuration uq, one can construct the 
reachability graph consisting of all configurations and transitions reachable from 
Uq (a subgraph of the expanded FSM M'). This graph is often large. One can use in 
place of the reachability graph an equivalent minimized graph which collapses 
all configurations of the reachability graph that are equivalent in terms of the transi- 
tions that they can perform. Such a minimized graph can be constructed efficiently 
directly from the EFSM M in an online fashion, provided one can use suitable sym- 
bolic representations for sets of configurations [LY92]. Let G in the following be the 
reachability graph or its minimized version G^ji^. Every transition of the EFSM 
gives rise to a number of transitions (edges) of G. Associate a unique "color" with 
each transition of the EFSM M, and color correspondingly every edge of G. The 
problem of generating a minimum complete test set for the EFSM M translates to the 
following colored graph covering problem: generate a minimum set of paths in G that 
start at the initial node Uq and cover all the colors [LY96b]. We could in addition 
color the nodes of G. The covering problem can be reduced to the case of DAGs, by 
shrinking the strong components of G and associating with the resulting node the set 
of colors that occur within the component. 

The above colored graph covering problem is NP-hard, and furthermore it can- 
not be approximated in polynomial time to a factor better than log n (unless of course 
P=NP). A greedy heuristic is the following: seek a path that covers the maximum 
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number of colors, delete the colors and iterate. This would achieve a log n approxi- 
mation factor if only we could hnd such a maximum color path. Unfortunately, this is 
an NP-hard problem as well, and it is also MAX SNP-hard (i.e. cannot be approxi- 
mated arbitrarily close to 1). One can apply a greedy heuristic to look for a good path 
in the DAG of strong components that covers many colors. There are several greedy 
variants. Most can be in the worst case quite bad: it is possible that the optimal path 
covers c colors and the greedy heuristics construct a path with 0(1) colors; the best 
greedy variant constructs a path with 0(^[c) colors. It is an interesting open problem 
to find better approximation algorithms for these problems. 

In spite of the negative results in the worst case, the greedy heuristics were 
applied to real systems with very good results (i.e. coming very close to easy lower 
bounds). In these cases it turned out that a few tests covered a large number of colors, 
and the remaining tests (which formed the bulk of the whole set) covered a few addi- 
tional colors each. In the latter case one can actually hnd efficiently the best path: if 
the maximum number c of colors in a path is bounded (i.e. is a constant) then one can 
compute the maximum color path in essentially linear time in the size of the graph 
(more precisely, randomized time or deterministic time log k where m 

is the size of the graph and k the number of colors). 

Some of these algorithms are included in Pithia, an internal Lucent test genera- 
tion tool for FSM and EFSM models [LY99h]. There is also a commercial test gener- 
ation tool based on EFSMs by Teradyne called TestMaster (see eg. [Ap95] and the ter- 
adyne.com web site for more information). 

6. Nondeterministic and Probabilistic Machines 

In a nondeterministic machine a state may have several transitions correspond- 
ing to the same input, which may go to different states or produce different outputs. 
In a probabilistic machine, every transition has an associated probability, with the 
restriction that for each state s and input a, the sum of the probabilities of all the tran- 
sitions out of state s on input a is equal to 1 . Thus a probabilistic FSM is essentially a 
Markov Decision Process, where the inputs correspond to the actions of the process. 

Nondeterminism may model different aspects in a specification or implementa- 
tion FSM. One case is that of a specification S (for example a standard) that offers dif- 
ferent alternative choices that are modeled by the nondeterminism. Different ways of 
resolving the nondeterminism yield different deterministic machines derived from S, 
all of which are considered as acceptable implementations (i.e. conforming to S). A 
simple example is the case of partially specified (deterministic) FSMs: the partial 
specification prescribes only a subset of the transitions, while the rest of the transi- 
tions can be chosen independently. 

A different kind of nondeterminism in the specihcation or implementation 
machine arises when there are aspects that have been abstracted away from the FSM 
state, or there are actions that are not under the control of the tester that provides the 
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inputs; hence the machine may behave differently at different times — either in an 
arbitrary fashion (nondeterministic FSMs) or following some probabilistic rule (prob- 
abilistic FSMs). There has been less algorithmic work on the testing of nondetermin- 
istic and probabilistic machines. The problems are generally harder. 

Consider the first interpretation of nondeterminism. That is, we are given a 
nondeterministic specification FSM S, and a deterministic FSM M, and we wish to 
determine whether M conforms to S, i.e. can be derived from S by choosing one tran- 
sition for each state and input. Even the white-box testing problem, where we have 
complete knowledge of the implementation FSM M and its state, is in general NP- 
hard [LY99a]. Under some circumstances (basically if the specification FSM S has a 
substantial core of deterministic transitions that can distinguish the states) it is possi- 
ble to perform efficiently black-box (as well as white box) testing. 

Consider the second interpretation of nondeterminism, and suppose we are 
given a black-box NFSM M. Can we design a test sequence that tells apart a specifi- 
cation NFSM S from a given possible "faulty" machine S', i.e. an input sequence x 
which we can apply to M, observe the output and either conclude "Pass" if M = S, 
"Fail" if M = S' (and the conclusion can be arbitrary if M is not equal to either S or 
S')l In the deterministic case, this amounts to machine (or state) equivalence, which 
of course can be done efficiently. For nondeterministic machines the problem is much 
harder. In the preset case the problem is PSPACE-compIete, and in the adaptive case 
it is EXPTIME-complete [ACY95]. 

Similar questions can be posed for probabilistic ESMs. In this case we want to 
distinguish between different machines (or between different states) with probability 
tending to 1. The complexity of the problems turns out the same, i.e. PSPACE-com- 
plete in the preset case, and EXPTIME-complete in the adaptive case although the 
algorithms are different [ACY95]. 

These distinguishing problems for nondeterministic and probabilistic FSM can 
be viewed as two person games with incomplete information. The nodeterministic 
FSM case corresponds to a game between a purposeful player (the tester) and a mali- 
cious adversary; in the probabilistic case the adversary plays at random. Preset testing 
corresponds to blindfold (no information) games, and adaptive testing corresponds to 
partial information games. 

7. Conclusions 

There has been extensive work over the years on problems related to the testing 
of finite state systems. We summarized here some of the algorithmic results on these 
problems for different types of finite state machines. We discussed mainly active test- 
ing. There is some interesting work also on passive testing, for example work on 
inference of Markov chains from their outputs (eg. in the information theory and CS 
theory communities), and inference of finite automata (in learning theory and 
robotics). 
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Developing effective methods for automatic test generation of finite state 
machines is important from the practical side given the wide use of FSM models in 
many types of applications. At the same time it poses several interesting theoretical 
questions. Much work remains to be done in particular for extended, for nondetermin- 
istic, and for communicating finite state machines. 
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Abstract. The well-known completeness theorem of Bergstra & Tucker 
[BT82,BT87] states that all computable data types can be specified with- 
out quantifiers, i.e., quantifiers can be dispensed with — at least if the 
introduction of auxiliary (hidden) functions is allowed. 

However, the situation concerning the specification without hidden func- 
tions is quite different. Our main result is that, in this case, quantifiers 
do contribute to expressiveness. More precisely, we give an example of a 
computable data type that has a monomorphic first-order specification 
(without hidden functions) and prove that it fails to possess a monomor- 
phic quantifier-free specification (without hidden functions). 



1 Introduction 

The expressive power of first-order algebraic specification methods has been ex- 
tensively studied over several years, e.g., by Majster [Maj79], Bergstra & Tucker 
[BT82,BT87], the ADJ-group [TWW82], and others [Ore79,BBTW81,Wir90]. 

One main result is that, if equipped with hiding mechanisms, all common 
algebraic specification methods are adequate for computable^ data types. Here, 
hiding means that local definitions of auxiliary functions can be added for reasons 
of specification only; these functions are hidden from the user of the specified 
data type. Bergstra & Tucker [BT82,BT87] proved that any computable algebra 
A possesses a quantifier-free specification involving at most 2u -|- 3 hidden func- 
tions (where n is the number of sorts in A) that defines A under both its initial 
and final algebra semantics. Hence, by using hiding mechanisms, a monomorphic 
quantifier-free specification can be constructed for any computable data type.^ 

* This research has partly been supported by the “Deutsche Forschungsgemeinschaft” 
within the “Schwerpunktprogramm Deduktion”. The results were obtained in the 
course of [Kem98]. 

^ We define the notions of (computable) data types, specifiability, etc. in section 2. 

^ On the other hand, any data type defined by a monomorphic quantifier-free speci- 
fication is computable (cf. [Wir90, Theorem 4.2.1]). Hence, the computability of a 
data type is characterized by specifiability without quantifiers. 
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Consequently, if one is interested in specifying computable data types only 
(which is reasonable in most practical applications), the use of quantifiers does 
not enhance expressiveness.^ 

However, the situation changes substantially if we do not allow hidden func- 
tions. In particular, the completeness for computable data types is lost: there 
are examples of data types that are computable but fail to possess monomorphic 
first-order specifications without hidden functions [Ber93,Scli97a,Sch97b]. The 
loss of expressiveness caused by disabling hiding therefore cannot be compen- 
sated completely, even if arbitrary first-order quantification is used. Naturally, 
the question arises whether quantification makes up for this loss at least to some 
extent. In other words: if a quantifier-free specification without hidden functions 
does not exist, can we hope to find at least a first-order specification (using 
quantifiers) without hidden functions? 

This paper gives a positive answer by proving 

Theorem 1. There is a computable data type that possesses a monomorphic 
first-order specification without hidden functions but fails to have a monomorphic 
quantifier-free specification without hidden functions. 

While this theorem states what one would expect, it is difficult to identify 
examples of the required class of data types. Especially, in order to prove that a 
data type cannot be specified without quantifiers, non-standard models have to 
be constructed for any potential quantifier-free specification. 

The paper is organized as follows: Section 2 recalls some basic definitions. 
In section 3, we demonstrate that following a naive approach does not result 
in examples of data types that point out the necessity of quantifiers. Section 4 
presents a solution, i.e. a data type A that is claimed to have a monomorphic spe- 
cification with quantifiers but none without (both not using hidden functions). 
The first property is established in section 5, the second in section 6. Finally, in 
the last section, we draw conclusions and discuss related work. 

2 Preliminaries 

We assume the reader to be familiar with the very basic notions of algebraic 
specification (cf. e.g. [Wir90] or [LEW96]) like those of (many-sorted) signature 
S = (S,F), (total) S-algebra A = ((s"^)sgg, (f^)f^p), and E -homomorphism. 

The set of terms T{E,X) with variables taken from X is defined as usual. 
Terms without variables are called ground terms. A i?-algebra A is called term- 
generated if there is a denotation, i.e. a ground term t G T{S,$) with t^ = a, 
for each of its carrier elements a G s^ {s G S). The class of all term- generated 
i?-algebras is denoted by Gen{E). 

^ Of course, there are non- computable data types which can be specified using quanti- 
fiers but — as argued in footnote 2 — not without. More precisely, even all arithmetical 
data types possess a monomorphic first-order specification (cf. the proof of [Wir90, 
Lemma 5.3.8]). 
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Two Al'-algebras A, B are called isomorphic if there is a bijective ii'-homo- 
morphism h : A ^ B. The isomorphism class of a Z’-algebra A, also called the 
“abstract” data type, is denoted by [A] . Sometimes, we simply speak of the data 
type A. 

A Z'-algebra A is called computable if it is isomorphic to a computable number 
algebra, an algebra in which all carrier sets are decidable subsets of N and all 
functions are computable. 

Atomic S-formulas are Z'-equations t\ = <2 (where t\,t 2 G T[S,X) are 
terms of the same sort) and the boolean constant false. First-order S-formulas 
are built from the atomic ones using the logical connectives -i and A, and the 
quantifier 3. Further logical operators such as true, V, -f4, and V are 
regarded as abbreviations. 

The usual satisfaction of a Ai-formula by a ii'-algebra A w.r.t. a valuation 
: X ^ A is denoted hy A, v |= ip. We write A \= ip, and say that p is valid 
in A, \i A,v \= p holds for all valuations v. For a set F of X-formulas, we write 
A\= $ \i A\= p for all p 

A (first-order algebraic) specification SP = [S,F) consists of a signature S 
and a finite set ^ of X-formulas, called axioms. If the formulas in F do not contain 
quantifiers, we speak of quantifier-free specification. We adopt loose semantics 
and define Mod{SP) := {A G Gen{S) | A |= to be the set of models of SP. 
li A \= p for all A G Mod{SP), we simply write SP |= p. 

A specification SP is called monomorphic if any two of its models are iso- 
morphic, i.e. if there is — up to isomorphism — at most one element in Mod{SP). 
A specification SP = {S, <P) is said to specify a A-algebra A (and also the cor- 
responding abstract data type [A]) if Mod{SP) = [A]. Hence, a specification SP 
specifies a A-algebra A if and only if SP is monomorphic and A G Mod{SP). 

A A-algebra A with S = (S, F) can be specified with hidden functions if there 
is a super-signature S' = {S,FU HF) (where HF denotes the additional hidden 
function symbols) and a A'-algebra A' with A as its A-reduct, i.e. A'\s = A, 
such that A' possesses a specification. 



3 A first approach: primality of numbers 

When looking for a suitable example to prove theorem 1, one that might come 
to mind immediately is that of the primality predicate: its customary definition 
in first-order logic looks like the following: 

prime(a:) GG (a; > 1) A ~Ay, z.{y > 1 /\ z > 1 A x = yz) 

and thus involves a quantifier. Although one might suspect that this quantifier 
is indispensable, it turns out that a quantifier-free specification of the primality 
predicate without further auxiliary functions actually exists. This result follows 
from a more general fact, stating the quantifier-free specifiability of every decid- 
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able predicate using the signature 



signature 










sorts 


Nat, Bool 








functions 


true, false 






Bool 




zero 




-> 


Nat 




Slice 


Nat 


— s- 


Nat 




add, mult 


Nat X Nat 


— s- 


Nat 




char 


Nat 




Bool 


end signature 









For every M C N, Am denotes the algebra that interprets Nat, Bool and their 
basic operations in the usual way and furthermore defines 

, r \ f tfue if a; G M 

char “(a:) = I otherwise 

to be the characteristic function of M. 

Fact 2. Let M be a decidable subset of the natural numbers.'^ Then, there exists 
a quantifier-free specification SP without hidden functions such that 

Mod{SP) = [Am]. 

Proof. The proof is a consequence of the characterization of enumerable sets 
by diophantine equations. A good introduction to the subject is [Mat93]. 

Seeing that the basic operations on Nat and Bool can be easily specified 
without quantifiers, we focus on the specifiability of the function char^“. 

Since M is decidable, both M and its complement are recursively enumerable. 
Matiyasevich’s Theorem states that all recursively enumerable sets are diophan- 
tine. Hence, M and N\M are diophantine, meaning that there are polynomials 
PijQijP 2 ,Q 2 with positive integer coefhcients such that 

xeM <S=^ there exist yi,...,y„ with pi(a:,yi,...,ym) =gi(a:,yi,...,ym), 
X ^ M 4=^ there exist yi, . . . , with p 2 (x, yi, . . . , y„ ) = q 2 {x, yi, . . . , y„ ). 

Since the polynomials can be written as terms using zero, succ, add, and 
mult only, we obtain two quantifier-free axioms specifying char"^" : 

pi(x,yi,...,y„) = yi(x,yi, . . .,y„) -5- char(x) = true 
P 2 (x,yi,...,yn) = y 2 (x,yi, . . .,y„ ) -> char(x) = false. 

Note that we are not introducing any new signature symbols: Pi,qi,P 2 ,Q 2 are 
merely denotations for the terms representing the polynomials. ■ 

Choosing M to be the set of all prime numbers, the above fact 2 yields the 
desired specification. In this special case, polynomials p 2 , <72 can easily be found, 
whereas determining pi, qi requires a great amount of number theory. In [Mat93, 
P. 55], a polynomial representation of the set of prime numbers is given. 



The statement can easily be generalized to decidable subsets of for any k and 
also to computable functions from to N. 
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4 The example: completeness of graphs 

Looking once more at the reason why the previous section’s example did indeed 
have a quantifier-free specification, we realize that the powerful arithmetical op- 
erations allowed us to code all decidable properties of natural numbers. There- 
fore, we turn to properties of structures possessing fewer operations, namely the 
completeness of graphs (for the same reason, graphs and their properties are 
often considered in finite model theory, cf. section 7). 

More specifically, we consider directed graphs with a finite number of edges, 
and whose vertices are exactly the natural numbers. We can therefore identify a 
graph with the set of its edges, i.e., a graph G is a finite subset G C N x N. It is 
called complete if (u, m) G G for every n,m G G. Here, n G G means that there 
exists an u' G N such that (n, n') G G or {n', n) G G. 

To define the data type A of graphs equipped with a completeness predicate, 
we provide the signature 



signature E 




sorts Bool, Nat, Graph 


functions true, false 


Bool 


zero 


— y Nett 


succ 


Nat — >■ Nat 


empty 


— Graph 


connect 


Nat X Nat x Graph — >■ Graph 


complete 


Graph — Bool 


end signature 





and interpret the symbols in the obvious way: 



Bool^ 


= {true, false} 


Nat^ 


= N 


Graph"^ 


= {GcNxNG finite} 


true"^ 


= true 


f alse"^ 


= false 


zero"^ 


= 0 


succ"^(n) 


= n -1- 1 


empty"^ 


= 0 


connect"^ (n, m, G) 


= GU{(n, m)} 




f true if G is complete 


complete"^ (G) 


1 false otherwise. 



Notice that the data type A is obviously term-generated and computable. The 
following two sections will establish the existence of a monomorphic specification 
for A with quantifiers and the non-existence of one without (both not using 
hidden functions). 
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5 Specifiability using quantifiers 

In order to show that, by using quantifiers, the data type A can be specified 
without introducing hidden functions, we subsequently give a suitable specifica- 
tion. For convenience, we agree on two abbreviations (but note that we are not 
adding any new symbols to the signature): 

connected (x, y, g) := (connect(x, y, g) = g) 

m(x,g) := 3 z. (connected(x, z, g) V connected(z, X, g)) . 



specification COMPL 
signature Z’ 

variables x, y, u, v : Nat 
g, h : Graph 

axioms (1) true ^ false 

(2) succ(x) zero 

(3) succ(x) = succ(y) x = y 

(4) -1 connected (x, y, empty) 

connected{x, y, connect(u, v, g)) 

■f->-(x=uAy = v)V connected (x, y, g) 

(6) g = h -fA Vx,y. (connected(x, y, g) -fA connected (x,y,h)) 

(7) complete(g) = true V complete(g) = false 
complete(g) = true 

O Vx,y. (m(x,g) A in(y,g) connected {x, y, g)) 

end specification 



( 5 ) 



( 8 ) 



Theorem 3. The first-order specification COMPL specifies the data type A, 
i.e. Mod(COMPL) = [A], 



Proof. We can easily verify that all axioms are valid in A. Since A is term- 
generated, A is a model of COMPL and it remains to prove the monomorphicity 
of COMPL. 

For that purpose, we use the fact that a specification SP is monomorphic iff 
SP fixes the ground equations, i.e., iff for all ground equations t\ = t 2 , either 
SP 1= = f 2 or SP \=ti ^t 2 (cf. [Wir90, Fact 2.3.2]). We check each kind of 

ground equation separately: 

(a) ti = t 2 for ground terms ti,t 2 of the sort Nat: 

Due to axioms (2) and (3), we get SP \= t\ ^ t 2 whenever t\ and t 2 differ 
syntactically; otherwise, SP \= t\ = t 2 holds trivially. 

(b) ti = t 2 for ground terms t\,t 2 of the sort Graph: 

We first use induction on the structure of t and axioms (4) and (5) to show 
that for all ground terms t\,t '2 of the sort Nat and t of the sort Graph, either 
COMPL 1= connected (t'i,t 2 , t) or COMPL |= -i connected{t{,t 2 ,t). 



On the Power of Quantifiers in First-Order Algebraic Specification 



51 



Then, it immediately follows from axiom (6) that COMPL fixes arbitrary 
ground equations of the sort Graph. 

(c) ti = t 2 for ground terms ti,t 2 of the sort Bool: 

Since the atoms on the right hand side of axiom (8) are equations of the sort 
Graph, it follows from (b) that for all ground terms t of the sort Bool, either 
COMPL 1= complete(t) = true or COMPL |= complete(t) ^ true. 

Using axiom (7), we find that either COMPL |= complete(t) = true or 
COMPL 1= complete(f) = false. Ground terms complete(f) can thus be 
“reduced” to either true or false, i.e. all ground equations ti = t 2 of the 
sort Bool can be “reduced” to equations t'l = with G {true, false}. 
The latter are fixed due to axiom (1). B 

6 Non-specifiability without quantifiers 

The previous section shows that the abstract data type A can be specified with- 
out hidden functions, but using quantifiers. We now turn to the question whether 
the use of quantifiers is indeed necessary.^ We will answer this question positively 
by proving the following 

Theorem 4. There is no quantifier-free specification SP without hidden func- 
tions such that Mod{SP) = [A]. 

Before presenting the actual proof, we give a short outline. While a “local 
property” — namely that of a missing edge between two non-isolated vertices 
(vertices that are part of at least one of the graph’s edges) — is sufficient for 
non-completeness of a graph, a graph’s eompleteness can only be guaranteed by 
looking at all pairs of its vertices and checking whether an edge exists between 
them. 

However, a finite formula without quantifiers can only make statements about 
a relation between a bounded number of edges. If the size of a graph exceeds 
this bound, the specification fails to recognize this graph’s completeness. Or, if 
the graph’s completeness is actually recognized, then it is upon conditions that 
are not sufficient in the general case, and the specification will falsely classify 
some other graph as complete. 

While the basic idea can be described fairly easily, the proof itself turns out 
to be quite cumbersome. We start with some conventions and definitions. 

1. m,n are always natural numbers. 

2. t,ti,tj,to,ti,t 2 are terms of the sort Graph. 

3. X, Xi are variables of the sort Graph. 

4. V always denotes a valuation and (t)"^’" denotes the evaluation of term t in 
the algebra A under v. 

5. q} always denotes a disjunction of literals (i.e. of equations or inequations 
between terms), while (j) stands for an arbitrary formula. 

® For instance, the equality of graphs (in axiom (6)) could also have been specified 
without quantifiers — at the cost of a more difficult proof of theorem 3. 
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Definition 5. 1. For every m, Gm denotes the complete graph 

Gn. := 

and the algebra Am is defined to be identical to A except for 
complete"^™ (Gm) = false. 

2. The distance d (Gi, G 2 ) between two graphs Gi, G 2 is the cardinality of their 
symmetric set difference, i.e. d (Gi, G 2 ) := |(Gi \ G 2 ) U (G 2 \ Gi)|. 

3. connects((/>) is the number of occurrences of the function symbol connect in 
the formula (f>; connects (t) is defined likewise. 

4. The maximum max(^, A, v) of a formula 4> under a valuation v in an algebra 
A is the greatest natural number occurring in the evaluation of Nat and 
Graph terms of 4> under v and A. 

5. Two terms ti, t 2 are adjacent in ip if both appear in ip (possibly as subterms), 
and either one term is a subterm of the other or a literal t\ ^ t 2 exists in p. 

denotes the transitive, symmetric closure of adjacency and is obviously 
an equivalence relation. If ti^^t 2 holds, then G and t 2 are called connected 
in p. 

6. Tp^y^m denotes the set of all terms t such that there exists a term to in ^ 
with t^pto and (to)^’'^ = Gm- 

The set T^p^y^m is a kind of “influence sphere” around the terms to evaluated 
to Gm- Since we later want to modify the evaluation of those terms to (which 
might help to distinguish between the two algebras A and Am) without 
affecting the validity of other parts of the formula, the evaluations of the 
terms in T^p^y^m have to be changed simultaneously as well. 

Note that t € T^^y^m implies that t appears in p. Also, Tp,^y^m is closed under 
subterms by definition of In particular, if a term t contains a variable x, 
the term t is in Tp^y^m iff a; G Tp^y^m, a fact that we will be using regularly 
without explicitly mentioning it. 

7. For a valuation v, the valuation v^p^m,n is defined to be identical to v except 
that we set v^p^m,n{x) := v(x) U {(n + 1, n + 2)} for variables x G T^p^y^m- 

Lemma 6. Let v he an arbitrary valuation: 

(a) If t does not contain a variable of the sort Graph, then 

|(t)"^’’^| < connects(t). 

(b) If t € Tpj^y^m and none of the inequations of the sort Graph in p is valid 
under v, then 

d [Gm, < connects((^). 

Proof, (a) can be proven by a simple induction on the structure of t. 

To prove (b), let to be a term with t^pto that is evaluated to Gm under v 

and A. Such a term to must exist due to the definition of Tp^y^m- 
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Let • • • , tj-i, tj) be a path of minimal length j connecting t and to in 

the adjacency relation, i.e. t\ = t and tj = to- Such a path must exist because of 
For any term t' in ip, there is at most one pair (tj,ti+i) that is adjacent 
through being subterms of t' . Otherwise, if i\ < i 2 were indices of two such 
pairs, we could obtain a path of length j — (i 2 — *i) by leaving out the terms 

^ii + l ) • • • ) • 

The above statement also implies that for any two pairs , tii+i), , U^+i), 
that are adjacent through being subterms of or cannot be a subterm 

of and neither can be a subterm of Thus, all can be chosen to be 
maximal, i.e. not to be subterms of any other term t' in p. 

To prove the desired inequation, we look at every step i in the path connecting 
t and to, and add up their contributions to the total set difference of the terms’ 
evaluations. If U and tj+i are connected through an inequation in p, then the 
precondition that none of the Graph inequalities hold yields that both terms are 
evaluated to the same graph, so that this step’s contribution is 0. 

Otherwise, U and tj+i are both subterms of some term t[ in p. This implies 
that their evaluation can differ by no more than connects (tQ edges (which can be 
proven by induction on the structure of t(). Using the above observation about 
the choice of the terms t', we obtain: 



d{{t) 




< 


i—1 


< 


connects (t') 




maximal 


< 


connects (:p). 



Lemma 7. Let m > connects(:p), and n > max(<p. A, n). For all literals X in p 
that do not contain a term complete(t) with t S we assume A,v\=j^ X. 

Then, for all of these literals, it holds that A,Vp^m,n X. 

Proof. We check the different forms that the literals A can have. The claim is 
obvious for equations and inequations between terms of the sorts Nat or Bool 
(if a literal includes a term complete(t), the precondition yields t fz. 
as well as equations and inequations between terms of the sort Graph that do 
not contain any variables x G In all of these cases, every such term is 

evaluated in the same way under Vp^m,n and v. 

The remaining cases are literals of the form t\ = t 2 or U ^t 2 , where at least 
one of the terms contains a variable x G If this applies to both terms, it 

can be easily checked that the valuation Vp^m,n adds the same edge (n-|-l,n.-|-2) 
to the evaluations of both terms, and that this edge was not previously contained 
in any of them. Thus, the equation holds under the valuation Vp^m,n iff it holds 
under v. 
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If both terms contain variables of the sort Graph, but only one of them is in 
T^,v,mi the literal has to be an equation (otherwise, the other variable would be 
in T^^v,m by definition). Since the edge (n + l,u+ 2) is added to the valuation 
of the term in T^^v,m under but not to that of the other term, it is clear 

that the equation cannot hold. 

If A is an equation such that one of the terms does not contain a variable 
of the sort Graph, an argument similar to the one just presented shows the 
claim. The case that A is an inequation such that one of the terms does not 
contain a variable cannot occur, because this would imply empty G and 

lemma 6(b) would yield d {Gm, 0) < connects(i^) < m, clearly a contradiction to 
\Gm\ = (to + 1 )^. ■ 

Lemma 8. Let ip = V/=i such that all literals Xj of the sort Bool are either 
of the form complete(f) = true or of the form complete(t) = false.® Then, 
for all m > connects (i^), we have 

A 1= r 1= if. 

Proof. We fix an arbitrary m > connects(i^). For any valuation v, we fix 
n > max((p. A, v) and show that if both A,v \= and A, v,p^rn,n |= T hold, then 
Arm u 1= ip>. To show that this implies the lemma, let v be an arbitrary valuation. 
By assumption, A\= ip, so A, v \= p, and A, v,p^rn,n |= T- We thus get Am, v\= p, 
and because v was arbitrary. Am h T- 

If there is a j G {1, . . . , J} with A,v \= \j such that \j is not of the form 
complete(fj) = true with (tj)""^’" = Gm, it is obvious that Am,v |= Xj, since 
the only difference between A and Am is the evaluation of complete at Gm- This 
implies Am, v \= p and hence our claim. 

Otherwise, A,v \= Xj can only hold for literals complete(tj) = true, where 
(tj)^’'’ = Gm (especially implying tj G For all other literals, we have 

A,v\f Xj. Therefore, we can use lemma 7 to conclude that the only literals with 
A, v^^m.n 1= Ai can be those including a term complete(ti) with ti G T,p^r,m, and 
because of A, Vip^m.n |= P, there must be at least one such i G {1, . . . , J}. 

ti must contain a variable of the sort Graph, because otherwise, we could 
use lemma 6(a) to conclude that the evaluation of U has at most m edges, in 
contradiction to ti being evaluated to Gm (which has (m + 1)^ edges). We can 
therefore use the definition of v,p^m,n and induction on the structure of U to show 
that the evaluation of U under v,p^m,n includes the edge (n + 1, u + 2), but not 
the edge {n + l,n+ 1) — thus, it is not a complete graph. Hence, A, Vy,^m,n h Xi 
implies that Ai is of the form complete(ti) = false (here, we use the restriction 
placed on literals of the sort Bool). 

We now look at the evaluation of ti under v, writing G := {ti)^’"". If G = Gm, 
we immediately have Am,v |= Ai because of definition. Otherwise, lemma 
6(b) states that G and Gm differ by at most connects(i^) < m edges. Since 
any complete graph other than Gm differs from Gm by at least 2m + 1 edges 



This assumption is only used to make the proof less technical. The lemma also holds 
without the assumption. 
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(which can be proven quite easily), G cannot be complete, and hence Am, f |= Ai, 
completing our proof. ■ 

Proof of theorem 4. Using lemma 8, the proof of theorem 4 is quite straight- 
forward. If SP is any quantifier-free specification without auxiliary functions, 
and is the set of its axioms, we form the conjunction of all axioms in We 
then replace every occurrence of any equation tf = tf (with terms tf , tf of the 
sort Bool) by 

tf = true ^ 1 2 = true, 

and similarly any inequation tf ^ by 

tf = true O = false. 

Transforming the resulting formula into conjunctive normal form and replacing 
inequations ^ true (resp. ^ false) by = false (resp. = true) 
yields a formula (f> = A^i ‘Pk such that each ipk is a disjunction of literals 
satisfying the requirements of lemma 8. 

Clearly, A G Mod{SP) implies A \= (j). We choose some m > connects(i^fe) 
for all fc G {1, . . . , K\. The lemma then implies Am |= for all k, and therefore 
we have Am |= <?i. This implies Am |= and hence Am G Mod{SP). Thus 
Mod{SP) A [A]- ■ 

7 Conclusions 

It is well known that there is no need for introducing quantifiers in order to 
specify computable data types if hiding facilities are used. Matters are quite 
different if hiding facilities are disabled: in this paper, we provided an example 
of a (natural) computable data type that has a monomorphic first-order speci- 
fication but no monomorphic quantifier-free specification (both without hidden 
symbols). 

Even if the use of quantifiers does not completely compensate the loss of 
expressiveness caused by disabling hiding (cf. [Ber93,Sch97a,Sch97b]), theorem 
1 indicates that quantifiers make up for this loss at least to some extent. In other 
words, we have shown that the use of quantifiers can help to avoid introducing 
hidden functions. Since hidden functions often make specifications less readable 
and may cause technical inconvenience (e.g. the handling of clashes between hid- 
den symbols when combining specifications), this paper can be seen as support 
for the provision of quantifiers in specification languages.^ 

While we believe that our result is proven for the first time, the problem was 
already mentioned in [BDP+79]: Broy et. al. give several examples for specifica- 
tions that demonstrate the usefulness of quantifiers, and they even claim: 

^ Notice that our arguments are also valid for the case that initial algebra semantics 
is adopted: Since there are no homomorphisms from A to the non-standard models 
Am considered in section 6, the restriction to initial models does not eliminate the 
necessity of either quantifiers or hidden functions. (Unfortunately, quantifiers would 
spoil the guarantee of the existence of initial models and execut ability.) 
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“A formulation without existential quantifiers requires the introduction of ad- 
ditional (hidden) functions, which makes the presentation inconvenient ...” 

However, they refer to a non-monomorphic data type® and do not provide a 
proof for their statement. 

Furthermore, our work is somewhat related to the work done in finite model 
theory and descriptive complexity, where especially the (first-order) definability 
of properties of finite graphs is studied (cf. e.g. [EF95] and [Imm82]). A typical 
result is, for instance, that there is no first-order formula Lp such that 

G\= p G is connected 

for all finite graphs G (where the variables in p are required to range over the 
nodes of G) (cf. [Gai82]). Unfortunately, such results do not carry over to our 
setting because we can use variables ranging over graphs (which allows, for in- 
stance, a first-order specification of connectedness) and even inductive definitions 
(since the property to be specified is named by a symbol, in our case complete). 

Moreover, instead of merely providing an example, one could be interested 
in a characterization of the data types that can or cannot be specified without 
hiding and without quantifiers. It is well known that for any first-order formula 
if there is an equivalent quantifier-free formula ip' iff the class of models of ip 
is closed under subalgebras [Rob74, Theorem 3.3.4]. However, this result does 
not apply in our context, because even if the class of all models of ip is not 
closed under subalgebras, there can be a quantifier-free formula having the same 
term-generated models. 

Another approach is pursued in [BT87], [BBTW81], and others: the au- 
thors characterize specifiability (using hidden functions) in terms of complexity 
(cf. e.g. [EM81,AT82]). However, fact 2 indicates that specifiability without hid- 
den functions generally does not imply any bound on the data type’s complexity. 
Conversely, it might be interesting to study whether (certain) complexity bounds 
guarantee specifiability without hidden functions. 

Acknowledgments. We thank the anonymous referees for their helpful comments. 
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Abstract. We consider in this paper an extension of Datalog with mech- 
anisms for temporal, nonmonotonic and nondeterministic reasoning, whi- 
ch we refer to as DatalogH — h- We study its semantics, and show how iter- 
ated fixpoint and stable model semantics can be combined to the purpose 
of clarifying the interpretation of Datalog-|--|- programs, and supporting 
their efficient execution. On this basis, the design of appropriate opti- 
mization techniques for Datalog-I— I- is also discussed. 



1 Introduction 

Motivations. The name DatalogH — h is used in this paper to refer to Datalog 
extended with mechanisms supporting: 

— temporal reasoning, by means of temporal, or stage, arguments of relations, 
ranging over a discrete temporal domain, in the style of Datalogis [5]; 

— nonmonotonic reasoning, by means of a form of stratified negation w.r.t. the 
stage arguments, called XY- stratification [19]; 

— nondeterministic reasoning, by means of the nondeterministic choice con- 
struct [8]. 

DatalogH-H-, which is essentially a fragment of CVC++ [2], and is advocated in 
[20, Ghap. 10], revealed a highly expressive language, with applications in diverse 
areas such as AI planning [4], active rules [18], object databases [7], semistruc- 
tured information management and Web restructuring [7] . However, we are still 
missing a thorough study of the semantics of DatalogH-H-, which will provide 
a basis to sound and efficient implementations and optimization techniques. A 
preliminary study of the semantics for a generalization of DatalogH-H- is sketched 
in [4], but their approach presents some problems that are fixed in this paper. 



Objective. The goal of this paper is to provide a declarative semantics for 
DatalogH-H-, which accommodates and integrates the temporal, nonmonotonic 
and nondeterministic mechanisms, and which justifies the adoption of an iterated 
fixpoint semantics for the language, that leads to its efficient implementation. 
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We proceed as follows: 

1. a natural, noneffective, semantics for Datalog++ is assigned using the notion 
of a stable model', 

2. an effective semantics is then assigned using an iterative procedure which 
exploits the stratification induced by the progression of the temporal argu- 
ment; 

3. in the main result of this paper, we show that 1. and 2. are equivalent, 
provided that a natural syntactic restriction is fulfilled, which imposes a 
disciplined use of the temporal argument within the choice construct. 

On the basis of this result, we finally discuss a repertoire of optimization tech- 
niques, especially tailored for Datalog-|--|-. In particular, we discuss how it is 
possible to support efficient history-insensitive temporal reasoning by means of 
real side-effects during the iterated computation [13]. 



Related Work. Nondeterminism is introduced in deductive databases by means 
of the choice construct. The original proposal in [11] was later revised in [17], 
and refined in [8]. These studies exposed the close relationship connecting non- 
monotonic reasoning with nondeterministic constructs, leading to the defini- 
tion of a stable model semantics for choice. While the declarative semantics of 
choice is based on stable model semantics which is computationally intractable 
in general, choice is amenable to efficient implementations, and it is actually 
supported in the logic database language CVC [14] and its evolution CVC++ 
[ 2 ]. 

On the other side, stratification has been a crucial notion for the introduction 
of nonmonotonic reasoning in deductive databases. From the original idea in [1] 
of a static stratification based on predicate dependencies, stratified negation has 
been refined to deal with dynamic notions, as in the case of locally stratified 
programs [15] and modularly stratified programs [16]. Dynamic, or local, strat- 
ification has a close connection with temporal reasoning, as the progression of 
time points yields an obvious stratification of programs — consider for instance 
Datalogis [5]. It is therefore natural that non monotonic and temporal reasoning 
are combined in several deductive database languages, such as those in [12], [10], 
[7], [20, Chap. 10]. 

However, a striking mismatch is apparent between the above two lines of 
research: nondeterminism leads to a multiplicity of (stable) models, whereas 
stratification leads to a unique (perfect) model. So far, no comprehensive study 
has addressed the combination of the two lines, which occurs in Datalog-|--|-, and 
which requires the development of a non deterministic iterated fixpoint proce- 
dure. We notice however the mentioned exception of [4], where an approach to 
this problem is sketched with reference to locally stratified programs augmented 
with choice. In the present paper, we present instead a thorough treatment of 
Datalog-|— I- programs, and repair a problem of the approach in [4] concerning 
the incompleteness of the iterated fixpoint procedure. 
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2 Background on NonDeterminism and XY-stratification 

Nondeterministic choice. The choice construct is used to nondeterministi- 
cally select subsets of answers to queries, which obey a specified FD constraint. 
For instance, the rule 

st_ad(St, Ad) •(— major(St, Area), f aculty(Ad, Area), choice((St), (Ad)). 

assigns to each student a unique, arbitrary advisor from the same area, since the 
choice goal constrains the st_ad relation to obey the FD (St — ?> Ad). 

The semantics of choice is assigned using the so-called stable model semantics 
of Datalog-i programs, a concept originating from autoepistemic logic, which 
was applied to the study of negation in Horn clause languages by Gelfond and 
Lifschitz [6]. To define the notion of a stable model we need to introduce a 
transformation H which, given an interpretation /, maps a Datalog-i program 
P into a positive Datalog program H{P,I): 

H{P, I) = {A •<— Hi, . . ., Bn I H •<— Hi, . . ., Bn, “'C'l, . . ., ~^Cm G ground{P) A 

{Cu...,Cm}ni = 0} 



Next, we define: 

Sp{I) = Th(pj) t ^ 

Then, M is said to be a stable model of P if Sp{M) = M. In general, Datalog-i 
programs may have zero, one or many stable models. The multiplicity of stable 
models can be exploited to give a declarative account of nondeterminism. 

We can in fact define the stable version of a program H, SV{P), to be the 
program transformation where all the references to the choice atom in a rule 
r : H •<— H, choice(X, Y) are replaced by the atom chosenr(X, Y), and define the 
choseur predicate with the following rules: 

chosenr(X, Y) 4— B, -idiff choicer(X, Y). 
dif f choicer(X, Y) ^ chosenr(X, Y'), Y Y'. 

where, for any fixed value of X, each choice for Y inhibits all the other possible 
ones via diff choicer, so that in the stable models of SV (H) there is (only) one 
of them. Notice that, by construction, each occurrence of a choice atom has 
its own pair of chosen and diff choice atoms, thus bounding the scope of the 
atom to the rule it appears in. The various stable models of the transformed 
program SV (H) thus correspond to the choice models of the original program. 



XY-programs. Another notion used in this paper is that of XY-programs orig- 
inally introduced in [19]. The language of such programs is DataloQig, which 
admits negation on body atoms and a unary constructor symbol, used to repre- 
sent a temporal argument usually called the stage argument. A general definition 
of XY-programs is the following. A set P of rules defining mutually recursive 
predicates, is an XY-program if it satisfies the following conditions: 
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1. each recursive predicate has a distinguished stage argument; 

2. every recursive rule r is either an X-rule or a Y-rule, where: 

— r is an X-rule when the stage argument in every recursive predicates in 
r is the same variable, 

— r is a Y-rule when (i) the head of r has a stage argument s(J), where J 
is a variable, (ii) some goal of r has J as its stage argument, and (iii) the 
remaining recursive goals have either J or s( J) as their stage argument. 

Intuitively, in the rules of XY-programs, an atom p(J,_) denotes the extension 
of relation p at the current stage (present time) J, whereas an atom p(s(j),_) 
denotes the extension of relation p at the next stage (future time) s(j). By 
using a different primed predicate symbol p' in the p(s(j),_) atoms, we obtain 
the so-called primed version of an XY-program. We say that an XY-program 
is XY-stratified if its primed version is a stratified program. Intuitively, if the 
dependency graph of the primed version has no cycles through negated edges, 
then it is possible to obtain an ordering on the original rules modulo the stage 
arguments. As a consequence, an XY-stratified program is also locally stratified, 
and has therefore a unique stable model that coincides with its perfect model 
[15]. 

Let P be an XY-stratified program. Then, for each * > 0, define Pi as 

Pi = {r[s^{nil)/I] I r G P, / is the stage argument of the head of r} 

i.e.. Pi is the set of rule instances of P that define the predicates with stage 
argument s'‘{nil) = i (here r[a:/J] stands for “replacing I with x in r”). Then 
the iterated fixpoint procedure for computing the (unique) minimal model of P 
can be defined as follows: 

1. compute Mq as the minimal model of Pq] 

2. for each j > 0 compute Mj as the minimal model of Pj U Mj_i. 

Notice that for each j > 0, Pj is stratified by the definition, and hence its perfect 
model Mj is computable via an iterated fixpoint procedure. 

In this paper, we use the name Datalog-I— I- to refer to the language of XY- 
programs augmented with choice goals. 



3 A Semantics for DatalogH — h 

When choice constructs are allowed in XY-programs, a multiplicity of stable 
models exists for any given program, and therefore it is needed to clarify how 
this phenomenon combines with the iterated fixpoint semantics of choice-free 
XY-programs. This task is accomplished in three steps. 

1. First, we present a general result stating that, whenever a Datalog-i program 
P is stratifiable into a hierarchy of recursive cliques Qi, Q 2 , • • • , then any 
stable model of the entire program P can be reconstructed by iterating the 
construction of approximating stable models, each associated to a clique. 
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2. Second, we observe that, under a syntactic restriction on the use of the 
choice construct that does not compromise expressiveness, Datalog++ pro- 
grams can be naturally stratified into a hierarchy of recursive cliques Qi, 
Q 2 , ■ ■ ■ , by using the temporal arguments of recursive predicates. 

3. Third, by the observation in 2., we can apply the general result in 1. to 
Datalog-I— I- programs, thus obtaining that the stable models of the entire 
program can be computed by an iterative fixpoint procedure which follows 
the stratification induced by the temporal arguments. 

Given a (possibly infinite) program P, consider a (possibly infinite) topological 
sort of its distinct recursive cliques Qi -< Q 2 - ■ ■ -< Qi -< • . induced by the 
dependency relation over the predicates of P. Given an interpretation I, we use 
the notation li to denote the subset of atoms of I whose predicate symbols are 
predicates defined in clique Qi. 

The following observations are straightforward: 

“ Ui>o and analogously Ui>o Qi = P'l 

— the predicates defined in Qi+i depend only on the definitions in QiU. . .UQi; 
as a consequence, the interpretation of Qi+\ is 7i U . . . U U (i.e., we 
can ignore Uj>^+l^J)• 

The next definition shows how to transform each clique, within the given topo- 
logical ordering, in a self-contained program which takes into account the in- 
formation deduced by the previous cliques. Such transformation resembles the 
Gelfond-Lifschitz transformation reported in Sect. 2. 

Definition 1. Consider a program P, a topological sort of its cliques 
Qi < Q 2 - ■ ■ ^ Qi- ■ and an interpretation I = Ui>o ^i- define 

Qredii) ground{Q,) 

A Bi, . . Bn are defined in Qi 
A Cl , . . ., Cm are defined in (Qi U . . . U Qi-i) 

A 7i U . . . U li-i \= Cl, . . ., Cm} n 

The idea underlying the transformation is to remove from each clique Qi all the 
dependencies induced by the predicates which are defined in lower cliques. We 
abbreviate by when the interpretation I is clear by the context. 

Example 1. Gonsider the program P = {p c— q, r. q •<— r, t. r ^ q, s.} and the 
cliques Qi = {q^r,t. r ^ q, s.} and Q 2 = {p<— q, r.}. Now, consider the 
interpretation I = {s,q, r}. Then = {q^r,t. r^q, s.} and = 

{p^.}. □ 

The following Lemma 1 states the relation between the models of the trans- 
formed cliques and the models of the program. We abbreviate Ji U . . . U with 
and analogously for Q^'‘\ 

Lemma 1. Civen a (possibly infinite) Datalog-> program P and an interpreta- 
tion I, let Qi -< Q 2 - ■ ■ -< Qi- - - and Ii ^ I 2 - - - ^ C- - - be the topological sorts on 
P and I induced by the dependency relation of P. Then the following statements 
are equivalent: 



On the Effective Semantics of Databases 



63 



1. Sp{I)=I 

2. Vi > 0. SQ..4li)=Ii 

3. V*>0. S'qm(/W) = /W 

Proof. See Appendix. □ 

This result states that an arbitrary Datalog-i program has a stable model if and 
only if each its approximating clique, according to the given topological sort, 
has a local stable model. This result gives us an intuitive idea for computing 
the stable models of an approximable program by means of the computation the 
stable models of its approximating cliques. 

Notice that Lemma 1 holds for arbitrary programs, provided that a strat- 
ification into a hierarchy of cliques is given. In this sense, this result is more 
widely applicable than the various notions of stratified programs, such as that of 
modularly stratified programs [16], in which it is required that each clique 
is locally stratified. On the contrary, we do not require here that each clique is, 
in any sense, stratified. This is motivated by the objective of dealing with non 
determinism, and justifies why we adopt the (nondeterministic) stable model 
semantics, rather than other deterministic semantics for (stratified) Datalog-i 
programs, such as, for instance, perfect model semantics [15]. 

We turn now our attention to XY-programs. The result of instantiating the 
clauses of an XY-program P with all possible values (natural numbers) of the 
stage argument, yields a new program SG{P) (for stage ground). More precisely, 
SG{P) = Ui>o^i> where 

Pi = {r\i/T\ ] r is a rule of P, I is the stage argument of r}. 

The stable models of P and SG{P) are closely related: 

Lemma 2. Let P be an XY-program. Then, for each interpretation I: 

Sp{I) = I SsG(P){I) = I 



Proof. See Appendix. □ 

However, the dependency graph of SG{P) (which is obviously the same as P) 
does not induce necessarily a topological sort, because in general XY-programs 
are not stratified, and therefore Lemma 1 is not directly applicable. To tackle 
this problem, we distinguish the predicate symbol p in the program fragment 
Pi from the same predicate symbol in all other fragments Pj with j ^ i, by 
differentiating the predicate symbols using the temporal argument. Therefore, if 
p(i, x) is an atom involved in some rule of Pi, its modified version is Pi(x). More 
precisely, we introduce, for any XY-program P, its modified version SO{P) (for 
stage-out), defined by SO{P) = [Ji>oSO{P)i where SO{P)i is obtained from 
the program fragment Pi of SG{P) by extracting the stage arguments from any 
atom, and adding it to the predicate symbol of the atom. Similarly, the modified 
version SO{I) of an interpretation I is defined. Therefore, the atom p(i,x) is 
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in I iff the atom Pi(x) is in SO {I), where i is the value in the stage argument 
position of relation p. 

Unsurprisingly, the stable models of SG{P) and SO{P) are closely related: 
Lemma 3. Let P be an XY-program. Then, for each interpretation I : 
SsG(p){I) = 1^ Sso(P){SO{I)) = SO{I). 

Proof. See Appendix. □ 

Our aim is now to conclude that, for a given Datalog++ program P: 

(a) SO{P)o ^ SO{P)i ^ • is the topological sort over SO{P) in the hypothesis 

of Lemma 1 recall that, for * > 0, SO{P)i consists of the rules from SO{P) 
with stage argument i in their heads; 

(b) by Lemmas 1, 2 and 3, an interpretation / is a stable model of P iff / can be 

constructed as Ui>o where, for * > 0, L is a stable model of \ 

i.e. the clique SO\P)i reduced by substituting the atoms deduced at stages 
earlier than i. 

On the basis of (b) above, it is possible to define an iterative procedure to 
construct an arbitrary stable model M of P as the union of the interpretations 
Mq, Ml, . . . defined as follows: 



Iterated stable model procedure. 

Base case. Mq is a stable model of the bottom clique SO{P)q. 

Induction case. For * > 0, Mi is a stable model of SO{P)l^‘^^^ \ i.e. the 
clique SO{P)i reduced with respect to Mq U • • • U Mi_i. □ 

The interpretation M = IJ^>q Mi is called an iterated stable model of P. 

It should be observed that this construction is close to the procedure called 
iterated choice fixpoint in [4]. Also, following the approach of [9], each local 
stable model Mi can in turn be efficiently constructed by a nondeterministic 
fixpoint computation, in polynomial time. 

Unfortunately, the desired result that the notions of stable model and iterated 
stable model coincide does not hold in full generality, in the sense that the 
iterative procedure in is not complete for arbitrary Datalog++ programs. In 
fact, as demonstrated by the example below, an undisciplined use of choice in 
Datalog++ programs may cause the presence of stable models that cannot be 
computed incrementally over the hierarchy of cliques. 

Example 2. Consider the following simple Datalog++ program P: 

^ In general, SO{P)i can be composed by more than one clique, so that in the above 
expression it should be replaced by SO{P)l -<•••-< SO(P)"'' . However, for ease of 
presentation we ignore it, since such general case is trivially deduceable from what 
follows. 
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q( 0 ,a). 

q(s(l),b)4-q(l,a). 

p(l,X)^q(l,X),choice((),X). 
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In the stable version SV (P) of P, the rule defining predicate p is replaced by: 

p(l, X) ^ q(l, X), chosen(X). 
chosen(X) •<— q(l, X), -idiff choice(X). 
dif f choice(X) chosen(Y), Y 7 ^ X. 

It is readily checked that SV {P) admits two stable models, namely {q( 0 ,a), 
q(s( 0 ),b), p( 0 , a)} and {q( 0 ,a), q(s( 0 ),b), p(s( 0 ),b)}, but only the first model 
is an iterated stable models, and therefore the second model cannot be computed 
using the iterated choice fixpoint of [4] . □ 

The technical reason for this problem is that the free use of the choice construct 
inhibits the possibility of defining a topological sort on SO{P) based on the value 
of the stage argument. In the example 2, the predicate dependency relation of 
SO{SV {P)) induces a dependency among stage i and the stages j > i, because 
of the dependency of the chosen predicate from the predicates qi for all stages 
i > 0 . 

To prevent this problem, it is suffices to require that choice goals refer the 
stage argument I in the domain of the associated functional dependency. The 
Datalog++ programs which comply with this constraint are called choice-safe. 
The following is a way to turn the program of example 2 into a choice-safe 
program (with a different semantics): 

p(l, X) ^ q(l, X), choice(l, X). 

This syntactic restriction, moreover, does not greatly compromise the expres- 
siveness of the query language, in that it is possible to simulate within this 
restriction most of the general use of choice (see [13]). 

The above considerations are summarized in the following main result of 
the paper, which, under the mentioned restriction of choice-safety, is a direct 
consequence of Lemmas 1, 2 and 3. 

Theorem 1 (Correctness and completeness of the iterated stable 
model procedure). 

Let P be a choice-safe Datalog-h-h program and I an interpretation. Then I is a 
stable model of SV{P) iff it is an iterated stable model of P. □ 

The following example shows a computation with the iterated stable model 
procedure. 

Example 3. Consider the following Datalog-I— I- version of the seminaive pro- 
gram, discussed in [19], which non-deterministically computes a maximal path 
from node a over a graph g: 
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delta(0, a). 

delta(s(l), Y) ^ delta(l, X), g(X, Y), -.all(l, Y), choice((l, X), Y). 

all(I,X)^delta(I,X). 

all(s(l), X) ^ all(I, X), delta(s(l),_). 

Assume that the graph is given by g = {(a, b), (b, c), (b, d), (d, e)}. The follow- 
ing interpretations are carried out at each stage of the iterated stable model 
procedure: 

1. Jo = {deltao(a), allo(a)}. 

2. I\ = {alli(a), alli(b), deltai(b)}. 

3. l\ = {all2(a), all2(b), delta2(c), all2(c)}, 

7| = {all 2 (a),all 2 (b),delta 2 (d),all 2 (d)} 

4. ll = 0, J| = {all3(a),all3(b),all3(d),delta3(e),all3(e)} 

5. Ij —9 for j > 3. 

By Theorem 1, we conclude that there are two stable models for the program: 
= Jo U Ji U ll and P = Jq U Ji U J| U J|. Clearly, any realistic implementation, 
such as that provided in CT>C++, computes non deterministically only one of 
the possible stable models. □ 

4 Optimization of DatalogH — h queries 

A systematic study of query optimization techniques is needed to achieve ef- 
ficient implementations of the iterated stable model procedure. In this section 
we sketch the direction along with our research is developing. A first line is 
concerned with defining ad hoc optimizations for Datalog-|--|-, by exploiting the 
particular syntactic structure due to the temporal arguments, which represents 
a sistematization and an extension of ideas first presented in [19]. A second line 
of research investigates how to gear classic optimizations, such as magic sets, to 
Datalog-f- 1-. 



Forgetful-fixpoint computations. In many applications (e.g., modeling up- 
dates and active rules [18,7]) queries are issued with reference to the final stage 
only (which represents the commit state of the database). Such queries often 
exhibit the form p(l, X), -ip(s(l),_), with the intended meaning “find the value 
X of p in the final state of p” . This implies that (i) when computing the next 
stage, we can forget all the preceding states but the last one (see [19]), and 
(ii) if there exists a stage I such that p(l, X), -ip(s(l),_) is unique, we can stop 
the computation process once the above query is satisfied. For instance, the pro- 
gram in Example 3 with the query delta(l, X), -idelta(s(l),_) computes the 
last node visited in a (nondeterministically chosen) maximal path starting from 
a. To answer this query, it suffices to consider either the partial model or the 
partial model J|, and hence we can discard the previous partial models during 
the computation. 
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Another interesting case occurs when the answer to the query is distributed 
along the stages, e.g., when we are interested in the answer to a query such as 
delta(_, X), which ignores the stage argument. In this case, we can collect the 
partial answers via a gathering predicate defined with a copy-rule. For instance, 
the all predicate in example 3 collects all the nodes reachable from a in the 
selected path. Then the query all(l, X), -iall(s(l),_), which is amenable for 
the described optimization, is equivalent to the query delta(_, X), which on the 
contrary does not allow it. Therefore, by (possibly) modifying the program with 
copy-rules for the all predicate, we can apply systematically the space optimized 
forgetful- fixpoint . 

Delta-fixpoint computations. We already mentioned the presence of a copy- 
rule in example 3: 

all(s(l),X) ^ all(l,X),delta(s(l),_). 

Its effect is that of copying all the tuples from the stage 1 to the next one, if 
any. We can avoid such useless space occupation, by mantaining for each stage 
only the modifications which are to be applied to the original relation in order to 
obtain the actual version. For example, the above rule represents no modification 
at all, and hence it should not have any effect; indeed, it suffices to keep track 
of the additions to the original database dictated by the other rule: 

all(l,X) ^ delta(l,X). 

which can be realised by a supplementary relation all+ containing, at each 
stage, the new tuples produced. If we replace the copy-rule with a delete-rule of 
the form: 

all(s(l), X) ^ all(l, X), delta(s(l),_), -'q(X). 

we need simply to keep track of the negative contribution due to literal -iq(X), 
which can be stored in a relation all“. Each all(l, . . .) can then be obtained 
by integrating all(0, . . .) with all the all+(j, . . .) and all~(j, . . .) atoms, with 



Side-effect computations. A direct combination of the previous two tech- 
niques gives rise to a form of side-effect computation. Let us consider, as an ex- 
ample, the nondeterministic ordering of an array performed by swapping at each 
step any two elements which violate ordering. Here, the array a =< ai, • • • , an > 
is represented by the relation a with extension a(l, ai), • • • , a(n, an). 



J < I. 



ar(0,P,Y) 

swp(l,Pl,P2) 



<-a(P,Y). 

ar(l,Pl,X),ar(l,P2,Y), X > Y, PI < P2, 



ar(s(l),P,X) 

ar(s(l),P,X) 

ar(s(l),P,X) 



choice((l), (P1,P2)). 

<-ar(l,P,X), -.swp(l,P,_) -.swp(l,_,P). 
^ar(l,Pl,X), swp(l,Pl,P). 

^ ar(l,Pl,X), swp(l,P,Pl). 



? ar(l,X,Y),-.ar(s(l),_,_) 
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At each stage i we nondeterministically select an unordered pair x, y of elements, 
delete the array atoms ar(i,pl,x) and ar(i,p2,y) where they appear, and add 
the new atoms ar(s(i), pi, y) and ar(s(i), p2, x) representing the swapped pair. 
The query allows a forgetful-fixpoint computation (in particular, the stage se- 
lected by the query is unique), and the definition of predicate ar is composed 
by delete-rules and an add-rule. This means that at each step we can (i) forget 
the previously computed stages (but the last), and (ii) avoid copying most of 
relation ar, keeping track only of the deletions and additions to be performed. If 
the requested update are immediately performed, the execution of the proposed 
program, then, boils down to the efficient iterative computation of the following 
(nondeterministic) Pascal-like program: 

while 31 a[I\ > a[I + 1] do swap{a[I\, a[I + 1]) od 

Magic Sets. Consider choice-free XY-programs. It is well known that the stan- 
dard magic-sets technique cannot be directly applied to programs with negation, 
hence neither to XY-programs. choice-free XY-programs are locally stratified 
and then also modularly locally stratified, so we can apply, for example, Ross’ 
extension [16]. One disadvantage of this approach is that the XY-structure is de- 
stroyed, and therefore an evaluation method is required which is not compatible 
with the one presented in this paper, so the optimizations discussed above are 
not applicable. In order to preserve opportunities for optimization, we apply the 
magic set transformation in such a way that the XY-structure is not corrupted. 
To obtain this, it is necessary to avoid the constraints propagation backward 
along the stages, and hence to make the optimization local to each stage. This 
point is illustrated by a simple example: 

Example 4- Let consider the following stratified program: 

p(X,Y) ^bi(X,Y). 
p(X,Y) <-p(X,Z),bi(Z,Y). 
q(X) <-bi(d,X),-p(a,X).\ 
q(Y)c~q(e),p(e,Y). j 
?q(c). (bi G EDB) 

Here we can apply the standard transformation locally to each stratum. This 
means that each relation used in a stratum but defined in a previous one is 
handled as an EDB relation, not involving it in the transformation (i.e., we don’t 
compute its corresponding magic rules). In our example, this avoids the creation 
of the dependency q — >■ m_p, thus preserving the stratification. Obviously, now 
each rule body goal referring a predicate defined in a previous stratum plays the 
role of a query for it, and then we have to produce a corresponding seed. In our 
example, we obtain the supplementary seeds m_p(a) and m_p(e), in addition to 
the standard m_q(c). □ 

We can then extend the method to a XY-program P by simply applying the 
transformation locally to each stage instance of P. Each such instance is a strat- 
ified subprogram, and hence we can apply to it any suitable version of magic 
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sets (e.g., that in [3], or the above mentioned in [16]), noticing that now the 
XY-structure is preserved. 

Example 5. Consider the following XY-program: 

queue(nil, X) ^ f irst(X). % A queue of people. 

queue(s(l), Y) ^ next(X, Y), queue(l, X). 

candidate(l, X, N) ^ queue(l, X), level(X, N). % Each invited one can 

candidate(l, Y, N) ^ join(X, Y), candidate(l,X,_), % invite somebody. 
level(Y,N). 

accept(l, X) ^ candidate(l, X, N), N < 6. % Only N < 6 enter. 

?accept(l, mary). % Can Mary enter ? 

It is a positive program, and then locally to each stage we can apply the simplest 
standard magic sets. Denoting the local magic predicates p by lm_p, we obtain: 

% Modified rules 

queue(nil, X) •(— lm_queue(nil, X), f irst(X). 
queue(s(l), Y) lm_queue(s(l), Y), next(X, Y), queue(l, X). 
candidate]!, X, N) •(— lm_candidate(l, X), queue]!, X), !eve!]X, N). 
candidate]!, Y, N) •(— !m_candidate]!, Y), join]X, Y), candidate]!, X,_), 
!eve!]Y,N). 

accept]!, X). •<— !m_accept]!, X), candidate]!, X, N) ,N< 6. 

% Magic rules 

!m_queue]!, X) !m_candidate]!, X). 

!m_candidate]!, X) •<— !m_candidate]!, Y), join]X, Y). 

!m_candidate]!, X) •<— !m_accept]!, X). 

% Seeds 

!m_queue]!, X) •<— . 

!m_accept]!, mary) •(— . 

% 

?accept]!, mary). 

Our restriction causes the absence of any magic rule corresponding to the sec- 
ond original rule, which computes a inter-stage transitive closure. Such magic 
rule, instead, is replaced by the seed !m_queue]!, X) •<— , which inhibits any op- 
timization regarding the predicate queue. Notice that we could also eliminate 
every occurrence of the magic predicate !m_queue]!, X) from the magic version 
of the program, since the corresponding seed forces to true value all instances 
of the predicate. Moreover, the elimination of the rule !m_queue]!, X) ■<— makes 
the program safe. □ 

Next, we observe that the magic sets transformation applied to programs with 
choice does not preserve completeness with the respect of their stable models. 
In other words, the propagation of constraints may cut off some stable models 
of the program. We can see this on the following simple example, where a is an 
EDB relation with extension a]l), a]2): 

b]X) ^ a]X), choice]]), X). 

?b(l) 
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with magic version: 

b(X) ^ m_b(X), a(X), choice((), X). 
m_b(l). 

?b(l) 

The magic version always answers yes, while the original program non-determini- 
stically answers yes or no. 

The magic set optimizations for Datalog++ studied so far, although “mini- 
mal” , represents a first step towards a more systematic study of the vast reper- 
toire of this kind of optimizations, which have to be further investigated. 
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Appendix 

Proof sketch of Lemma 1. The proof is structured as follows: (1) 4=> (3) 

and (2) 4=> (3). 

(3) =4^ (1) We next show that (a) Sp{I) C I, and (b) I C Sp{I). 

(a) Each rule in H{P,I) conies from a rule r of P, which in turn appears 
in for some i, and then is a model of r, by the hypothesis. No 
atom in / \ appears in r, so also I is model of r. I is then a model 
of H{P, I), and hence Sp{I) C I. 

(b) If A G /, then A G for some i, so (by the hypothesis and definition 

of Sp) for each I* such that I* = /(,))(/*), A G I* . Moreover, for 

each /' such that /' = Th-(p /)(/'), it is readily checked that for each i 
/'(®) = Tjj(Q(o,p.))(/'(®)), and then / C Sp{I). 

(1) (3) We observe that / = min{I* \ I* = Tjy(py) (/*)}, which implies: 

/(®) = I p'-’ = 

(2) (3) We proceed by induction on i. The base case is trivial. In the 

inductive case, we next show that (a) S'g(i)(/(®^) C /(®), and (b) vice versa. 

(a) Notice that from the induction hypothesis, J^®^ |= and then it 

suffices to show that J^®^ |= Qi (by a simple case analysis). 

(b) Exploiting the induction hypothesis, we have /(®~i) C S'g(i-i) (j(®“^^) = 
5 q(.-U (/(*)) C 5q(.) (J^®^) (by definition of H{P,I)). We now show by 
induction on n that Vn > 0 2 ^p(Q 7 -ed Q '^h(q(') /(•))■ base case 
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n = 0 is trivial. In the induction case (n > 0), ii A € j.y then 

there exists a rule A bi, ... ,bh in li) such that {b\, . . ., b^} C 

j.y Now, by definition of H and there exists a rule: 

A bi, . . . ,bh, -'Cl, . . . , -iCj, di, . . ., dk, “'Ci, . . . , -ic; 

in Qi such that {ci, . . . , Cj}n/i =0 and |= di A. . .Adfe A-iCi A. . .A 

-ic;. Observe now that by definition oi H, A <— bi, . . . ,bh,d\, . . . ,dk € 
Furthermore, by the induction hypothesis and C 

S'g(i) (/(*)), we have the following: {bi, . . . ,bh, di, . . . , dk} jd))- 

Hence, by definition of T“, H G i(i)y that is H G Sq(i) This 

completes the innermost induction, and we obtain that li = SqMli) Q 

(3) (2) We proceed is a way similar to the preceding case. To see that 

\fi li C SQTed{Ii), it suffices to verify that for each rule instance r with head 
A, the following property holds: 'in A & K')) ^ ^ / )' 

the converse, we simply observe that li is a model of □ 

Proof sketch of Lemma 2. We show by induction that '^^•T^(sg(p) /)(0) = 
T^(pj)(0), which implies the thesis. The base case is trivial. For the induc- 
tive case, observe that since P is XY-stratified, if H G Tp^pj.^(0) then for 
each rule H •<— Hi, . . ., G H{P,I) such that {Hi,...,H„} G Th(^pj-^{9) = 
^ff(SG(P) have A Bi, . . ., Bn G H{SG{P), I). Vice versa, if H G 
^fftsG(P) /) A-^ Bi,. . .,Bn G H{SG{P), I) such that 

{Hi, . . ., H„} G Th(sg(p),i) (®) “ have H •<— Hi, . . ., H„ G H{P,I). 

□ 

Proof sketch of Lemma 3. It is easy to see that SO{SG{P)) = SO{P). Hence, 
the least Herbrand models of SO{H{SG{P), I)) and H{SO{P), SO{I)) coincide. 

□ 
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Abstract. We study revision programming, a logic-based mechanism for 
enforcing constraints on databases. The central concept of this approach 
is that of a justified revision based on a revision program. We show that 
for any program P and for any pair of initial databases J and J we can 
transform (shift) the program P to a program P' so that the size of the 
resulting program does not increase and so that P-justified revisions of U 
are shifted to P'-justified revisions of U . Using this result we show that 
revision programming is closely related to a subsystem of general logic 
programming of Lifschitz and Woo. This, in turn, allows us to reduce 
revision programming to logic programming extended by the concept of 
a constraint with a suitably modified stable model semantics. Finally, 
we use the connection between revision programming and general logic 
programming to introduce a disjunctive version of our formalism. 



1 Introduction 

Revision programming was introduced in [MT98] as a formalism to describe 
and study the process of database updates. In this formalism, the user specifies 
updates by means of revision rules, that is, expressions of the following two 
types: 

in(a) ^ in(ai), . . . , in{am), out(6i), . . . , out(6„) (1) 

or 

out(a) ^ in(ai), . . . , in(a,„), out(6i), . . . , out(6„), (2) 

where a, ai and hi are data items from some finite universe, say U. Rules of the 
first type are called in-rules and rules of the second type are called out-rules. 

Revision rules have a declarative interpretation as constraints on databases. 
For instance, an in-rule (1) imposes on a database the following condition: a is 
in the database, or at least one Uj, 1 < i < m, is not in the database, or at least 
one bj, 1 < j < n, is in the database. 

Revision rules also have a computational interpretation that expresses a 
preferred way to enforce a constraint. Namely, assume that all data items Uj, 
1 < i < m, belong to the current database, say 3, and none of the data items 
bj, 1 < J < u, belongs to 3. Then, to enforce the constraint (1), the item a must 
be added to the database (removed from it, in the case of the constraint (2)), 
rather than some item ai removed or some item bj added. 
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In [MT98] , a precise semantics for revision programs (collections of revision 
rules) was defined. Given a revision program P and a database U, this semantics 
specifies a family of databases, each of which might be chosen as an update of 3 by 
means of the program P. These revised databases are called P-justified revisions 
of 3. In [MT98] (and in the earlier papers [MT94] and [MT95]), basic properties 
of justified revisions were established. Subsequently, revision programming was 
studied in the context of situation calculus [Bar97] and reasoning about actions 
[McCT95,Tur97]. 

Revision programming has also been investigated from the perspective of its 
close relationship with logic programming. In [MT98], it was argued that revi- 
sion programming extends logic programming with stable semantics by showing 
that revision programs consisting of in-rules only can be identified with logic 
programs. A converse embedding — an encoding of revision programs as logic 
programs — was constructed in [PT97] . The techniques from this paper are now 
being exploited in the study of the problem of updating logic programs [AP97] 
and resulted in a new paradigm of dynamic logic programming [ALP+98]. Well- 
founded semantics for a formalism closely related to revision programming was 
discussed in [BM97]. 

The key property of revision programming is the duality of in and out liter- 
als. The duality theorem (Theorem 3.8 from [MT98]) demonstrated that every 
revision program P has a counterpart, a dual revision program P^ such that 
P-justified revisions of a database 3 are precisely the complements of the P^- 
justified revisions of the complement of 3. 

The key result of this paper, the shifting theorem (Theorem 4), is a general- 
ization of the duality theorem from [MT98]. It states that P-justified revisions 
of a database 3 can be computed by revising an arbitrarily chosen database 3' by 
means of a certain “shifted” revision program P'. This program P' is obtained 
from P by uniformly replacing some literals in P by their duals. The choice of 
literals to replace depends on 3 and 3' . In addition, 3 and 3' determine also a 
method to reconstruct P-justified revisions of 3 from P'-justified revisions of 3'. 

As a special case, the shifting theorem tells us that justified revisions of 
arbitrary databases are determined by revisions, via shifted programs, of the 
empty database. This result implies two quite surprising facts. First, it means 
that although a revision problem is defined as pair (P, 3) (revision program 
and a database), full information about any revision problem can be recovered 
from revision problems of very special type that deal with the empty database. 
Moreover, the reduction does not involve any growth in the size of the revi- 
sion program. Second, the shifting theorem implies the existence of a natural 
equivalence relation between the revision problems: two revision problems are 
equivalent if one can be shifted onto another. 

The first of these two observations (the possibility to project revision prob- 
lems onto problems with the empty database) allows us to establish a direct 
correspondence between revision programming and a version of logic program- 
ming proposed by Lifschitz and Woo [LW92]. We will refer to this latter system 
as general disjunctive logic programming or, simply, general logic programming. 
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In general logic programming both disjunction and negation as failure opera- 
tors are allowed in the heads of rules. In this paper we study the relationship 
between revision programming and general logic programming. First, in Section 

3, we show that revision programming is equivalent to logic programming with 
stable model semantics extended by a concept of a constraint. Second, in Section 

4, we extend revision programming to the disjunctive case. 

2 Preliminaries 

In this section we will review main concepts and results concerning revision 
programming that are relevant to the present paper. The reader is referred to 
[MT98] for more details. 

Elements of some finite universe U are called atoms. Subsets of U are called 
databases. Expressions of the form in(a) or out(a), where a is an atom, are 
called literals. Literals will be denoted by greek letters a, etc. For a literal in(a), 
its dual is the literal out (a). Similarly, the dual of out (a) is in (a). The dual of 
a literal a is denoted by . 

For a set of atoms R C U, we define 

3?^ = {in(a) : a G 3?} U (out(a) : a ^ 3?}. 

A set of literals is coherent if it does not contain a pair of dual literals. Given 
a database 3 and a coherent set of literals L, we define 

3 © L = (3 U {a: in(a) G L}) \ {a: out(a) G L}. 

Let P be a revision program. The necessary change of P, NC{P), is the least 
model of P, when P is treated as a Horn program built of independent propo- 
sitional atoms of the form in(a) and out(fo). The necessary change describes all 
insertions and deletions that are enforced by the program, independently of the 
initial database. 

In the transition from a database 3 to a database 3i, the status of some 
elements does not change. A basic principle of revision programming is the rule 
of inertia according to which, when specifying change by means of rules in a 
revision program, no explicit justification for not changing the status is required. 
Explicit justifications are needed only when an atom must be inserted or deleted. 
The collection of all literals describing the elements that do not change the status 
in the transition from a database 3 to a database 3? is called the inertia set for 

3 and 3?, and is defined as follows: 

1(3, 3?) = {in(a): a G 3 fl 3?} U {out(a): a ^ 3 U 3?}. 

By the reduct of P with respect to a pair of databases (3,3?), denoted by 
we mean the revision program obtained from P by eliminating from the 
body of each rule in P all literals in J(3, 3?). 

The necessary change of the program provides a justification for some 
insertions and deletions. These are exactly the changes that are (a posteriori) 
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justified by P in the context of the initial database J and a (putative) revised 
database 3?. The database 3? is a P- justified revision of 3 if the necessary change 
of Pj^^ is coherent and if 3? = 3 © NC{P'j^^). 

The following example illustrates the notion of justified revision. 

Example 1. Assume that we need to form a committee. There are four people 
which can be on the committee: Ann, Bob, Tom and David. There are four 
conditions on the committee members which need to be satisfied. 

First, Ann and Bob are experienced employees, and we want to see at least 
one of them on the committee. That is, if Ann is not on the committee. Bob must 
be there, and if Bob is not on the committee, Ann must be there. Second, Tom 
is an expert from another country and does not speak English well enough yet. 
So, if Tom is on the committee, David should be on the committee too, because 
David can serve as an interpreter. If David is not on the committee, Tom should 
not be there, too. Third, David asked not to be on the same committee with 
Ann. Fourth, Bob asked not to be on the same committee with David. 

The initial proposal is to have Ann and Tom in the committee. 

We want to form a committee which satisfies the four conditions and dif- 
fers minimally from the initial proposal. This is a problem of computing jus- 
tified revisions of initial database 3 = {Ann, Torn} with respect to revision 
program P: 



m{Boh) -<r- out (Arm) 
in(Arm) -i— out(i3o6) 
in{David) -s— in(Tom) 
out (Tom) -e- out{David) 
out(Arm) ■(— h\{David) 
out(David) ■(— in{Bob) 

Let us show that 31 = {Ann} is a P-justified revision of 3 . Clearly, U = 
{Ann, Bob, Tom, David}. Thus, 

/(3,3I) = {in{ Ann), out{Bob),out{David)}. 

Therefore, is the following. 

in{Bob) -i— out(Arm) 
in (Arm) -s— 
in{David) -s— in (Tom) 
out (Tom) 

out (Arm) -s— in(David) 
out(David) e- in{Bob) 



Hence, NC{Pj^^) = {in{Ann) , out{Tom)} . It is coherent and 31 = 3(BNC{P-j^^). 
Consequently, 31 is a P-justified revision of 3 (in fact, unique). □ 




Revision Programming = Logic Programming + Integrity Constraints 



77 



In the paper we will use the following characterizations of justified revisions 
given in [MT98]. 

Theorem 1. ([MT98]) The following conditions are equivalent: 

1. A database 31 is a P -justified revision of a database 3, 

2. NC{P U {a a G I{3, 3?)}) = 

Two results from [MT98] are especially pertinent to the results of this paper. 
Given a revision program P, let us define the dual of P {P^ in symbols) to be the 
revision program obtained from P by simultaneously replacing all occurrences 
of all literals by their duals. The first of the two results we will quote here, 
the duality theorem, states that revision programs P and P^ are, in a sense, 
equivalent. Our main result of this paper (Theorem 4) is a generalization of the 
duality theorem. 

Theorem 2. (Duality Theorem [MT98]) Let P be a revision program and 
let 3 be a database. Then, 31 is a P-justified revision of 3 if and only if U \3i is 
a P^ -justified revision of U \ 3. 

The second result demonstrates that there is a straightforward relationship 
between revision programs consisting of in-rules only and logic programs. Given 
a logic program clause c 

p qi,...,qm,not si,...,not Sn 

we define the revision rule rp{c) as 



in(p) ^ in(q'i), . . . , out(si), . . . , out(s„). 



For a logic program P, we define the corresponding revision program rp{P) by: 
rp{P) = {rp{c): c G P}. 

Theorem 3. ([MT98]) A set of atoms M is a stable model of a logic program 
P if and only if M is an rp{P) -justified revision of 

It is also possible to represent revision programming in logic programming. 
This observation is implied by complexity considerations (both the existence of a 
justified revision and the existence of a stable model problems are NP-complete) . 
An explicit representation was discovered in [PT97] . In addition to representing 
revision rules as logic program clauses, it encodes the initial database by means 
of new variables and encodes the inertia rule as logic program clauses. As a 
consequence to our main result (Theorem 4), we obtain an alternative (and 
in some respects, simpler) connection between revision programming and logic 
programming. Namely, we establish a direct correspondence between revision 
programs and general logic programs of [LW92]. 



78 



Victor Marek et al. 



3 Shifting initial databases and programs 



In this section we will introduce a transformation of revision programs and data- 
bases that preserves justified revisions. Our results can be viewed as a general- 
ization of the results from [MT98] on the duality between in and out in revision 
programming. 

Let W he a subset of U. We define a W -transformation on the set of all 
literals as follows (below, a = in(a) or a = out(a)): 



Tw 




D 



when a €W 
when a ^ W. 



Thus, Tw replaces some literals by their duals and leaves other literals un- 
changed. Specifically, if a belongs to W then literals in (a) and out (a) are re- 
placed by their duals. 

The definition of Tw naturally extends to sets of literals and sets of atoms. 
Namely, for a set L of literals, we define Tw{L) = {Tw{a)'-ot G L}. Similarly, 
for a set A of atoms, we define 



Tw{A) = {a : in(a) G Tw{A'^)}. 

The operator Tw has several useful properties. In particular, for a suitable 
set W, Tw allows us to transform any database into another database 32- 
Specifically, we have: 

= ^ 2 , 

where -G denotes the symmetric difference operator. Thus, it also follows that 
Tj{'J) = $ and Tu{'J) = U\'J. 

Some other properties of the operator Tw are gathered in the following lemma. 

Lemma 1. Let Si and S 2 be sets of literals. Then: 

1. Tw(Si U S 2 ) = Tw{Si) U Tw{S2); 

2 . Tw[Si n S2) = Tw[Si) n Tw{S2); 

3. Tw{Si \ S 2 ) = Tw{Si) \ Tw{S 2 ); 

4- Tw(Si) = Tw{S 2 ) if and only if Si = S 2 ; 

5. Tw{Tw{Si)) = S'!. 



In fact. Lemma 1 holds when and S 2 are sets of atoms as well. 

The operator Tw can now be extended to revision rules and programs. For 
a revision rule r = a ^ ai, . . . , Um, we define 

Tw{r) = Tw{a) t— Tw{ai), ■ ■ ■, Tw{am)- 

Finally, for a revision program P, we define Tw{P) = {TV(r): r G P}. 

The main result of our paper, the shifting theorem, states that revision pro- 
grams P and Tw{P) are equivalent in the sense that they define essentially the 
same notion of change. 
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Theorem 4 (Shifting theorem). Let P be a revision program. For every two 
databases and J 2 , a database is a P-justified revision of3\ if and only if 
is a -justified revision of32- 

Proof. Let W = 3\ ^ 32- When calculating the necessary change, we treat 
literals as propositional atoms of the form in (a) and out (6). Observe that W- 
transformation can be viewed as renaming these atoms. If we rename all atoms 
in the Horn program, find the least model of the obtained program, and then 
rename the atoms back, we will get the least model of the original program. 

In other words. 



Tw{NC{Pj^^giJ) = NC{Tw{Po,,oi,)). 

Let lk 2 = Tw{3ii). Observe that by the definition of Tw, I{32,3i2) = 
Tw{I{3i,‘F.i)). Hence, = {Tw{P))’j^,‘X.^- 

Theorem 1 and Lemma 1 imply the following sequence of equivalences. 

- Iki is a P-justified revision oi 3 1 , 

- NC(Pj^^giJUli3i,3li)=3l‘l, 

- Tw{NC{Pj^^jiJ) U Tw{I{3i,3ii))=Tw{3i1), 

- NC{T\y{P-j_^ U 7(U2i 3 ^ 2 ) = Tw({in(a) : a G Iki} U {out(a) : a ^ 

- NC{{Tw{P)h,,ji,)liI{32,3i2) = n, 

- 312 = TV(3?i) is a Tvv(P)-justified revision of 32- n 

Theorem 2 (the duality theorem) is a special case of Theorem 4 when 32 = 
U\3i. 

At first glance, a revision problem seems to have two independent parameters: 
a revision program P that specifies constraints to satisfy, and an initial database 
3 that needs to be revised by P. The shifting theorem shows that there is a nat- 
ural equivalence relation between pairs (P, 3) specifying the revision problem. 
Namely, a revision problem (P, 3) is equivalent to a revision problem (P', 3') if 
P' = T-j^y{P). This is clearly an equivalence relation. Moreover, by the shifting 
theorem, it follows that if (P, 3) and (P', 3') are equivalent then P-justified revi- 
sions of 3 are in one-to-one correspondence with P'-revisions of 3' . In particular, 
every revision problem (P, 3) can be “projected” onto an isomorphic revision 
problem {T^{P),$). Thus, the domain of all revision problems can be fully de- 
scribed by the revision problems that involve the empty database. There is an 
important point to make here. When shifting a revision program, its size does 
not change (in other words, all revision programs associated with equivalent 
revision problems have the same size). 

Example 2. Let us take the same problem about forming a committee which we 
considered in Example 1. Recall that 3 = {Ann, Torn}. Let us apply transforma- 
tion Tj (shift to the empty initial database). It is easy to see that 2j(P) consists 
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of the rules: 



in{Bob) 
out (Ann) 
in{David) 
in (Tom) 
in(Ann) 
out {David) 



■(r- in (Ann) 

•<— out{Bob) 

<r- out (Tom) 
•<— out {David) 
■(— in{David) 
■(— in{Bob) 



This revision program has only one justified revision of 0, {Tom}. Observe 
moreover that {Tom} = Tj({Ann}). This agrees with the assertion of Theo- 
rem 4. □ 



There is a striking similarity between the syntax of revision programs and 
nondisjunctive (unitary) general logic programs of Lifschitz and Woo [LW92]. 
The shifting theorem, which allows us to effectively eliminate an initial database 
from the revision problem, suggests that both formalisms may be intimately 
connected. In the next section we establish this relationship. This, in turn, allows 
us to extend the formalism of revision programming by allowing disjunctions in 
the heads. 



4 General disjunctive logic programs and revision 
programming 

Lifschitz and Woo [LW92] introduced a formalism called general logic program- 
ming (see also [Lif96] and [SI95]). General logic programming deals with clauses 
whose heads are disjunctions of atoms (we will restrict here to the case of atoms 
only, even though in the original paper more general syntax is studied) and 
atoms within the scope of the negation-as-failure operator. Specifically, Lifschitz 
and Woo consider general program rules of the form: 

Ai\...\Ak\not Ak+i\...\not Al <r- A;+i, . . . , A„, not A„+i, . . . , not A„, (3) 

which can be also represented as 

HPosU not{HNeg) ■<— BPosU not{BNeg), 

where Ai,...,A„ are atoms, HPos = {Ai, . . . , Ak}, HNeg = {Ak+i, ■ ■ ■ , Ai}, 
BPos = { A;+ 1 , . . . , Am}, BNeg = {Am+i , ■ • ■ , A„}. 

A general logic program is defined as a collection of general program rules. 
Given a set of atoms M and a clause c of the form (3), M satisfies c if from 
the fact that every A^, Z -|- 1 < t < m, belongs to M and no Aj, m -I- 1 < t < n, 
belongs to M, it follows that one of A^, 1 < i < k, belongs to M or one of Aj, 
Zc -I- 1 < t < Z, does not belong to M. 

Lifschitz and Woo introduced a semantics of general logic programs that is 
stronger than the semantics described above. It is the semantics of answer sets. 
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Answer sets are constructed in stages. First, one defines answer sets for programs 
that do not involve negation as failure, that is, consist of clauses 

Ai|...|Afc •<— Ak+\,...,Am (4) 

Given a program P consisting of clauses of type (4), a set of atoms M is an 
answer set for P if M is a minimal set of atoms satisfying all clauses in P. 

Next, given a general logic program P (now possibly with negation as failure 
operator) and a set of atoms M, one defines the reduct of P with respect to M, 
denoted P^ , as the general logic program without negation as failure obtained 
from P by 

— deleting each disjunctive rule such that HNeg M or BN eg fl M ^ 0, and 

— replacing each remaining disjunctive rule by HPos •<— BPos. 

A set of atoms M is an answer set for P if M is an answer set for P^ . 



4.1 Answer sets for general programs and justified revisions 

We will now show that revision programming is closely connected with a special 
class of general logic programs, namely those for which all rules have a single 
atom in the head. We will call such rules and programs unitary. 

The encoding of revision rules as general logic program clauses is straight- 
forward. Given a revision program in-rule r: 

in(p) ^ in(gi),...,in(g„),out(si ),..., out(s„) 

we define the disjunctive rule dj{r) as: 

p <- qi,...,qm,not si,...,not s„. 

Similarly, given a revision program out-rule r: 

out(p) ^ in(q’i), . . . , in{qm), out(si), . . . , out(s„) 

we define the disjunctive rule dj{r) as: 

not p •<— 51 , . . . , 5 m, not si, . . . , not Sn- 

Finally, for a revision program P, define dj{P) = {dj{r): r G P}. 

The mapping dj{-) is a 1-1 correspondence between revision rules and unitary 
general logic program rules, and revision programs and unitary general logic 
programs. 

The following result states that revision problems where the initial database 
is empty can be dealt with by means of general logic programs. This result can 
be viewed as a generalization of Theorem 3. 

Theorem 5. Let P be a revision program. Then, 'Ll is a P -justified revision of 
0 if and only if IR is an answer set for dj{P). 
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Proof. Let 31 be a database. Let P' be a revision program obtained from P by 
deleting each out- rule that has out (a) in the head for some a ^ Jl, and deleting 
each rule which has out(a) in the body for some a € 01. Then, dj(P') is the 
disjunctive program obtained from dj(P) by deleting each disjunctive rule such 
that HNeg 2 3? or BNeg n 3? ^ 0 (recall that this is the first step in constructing 
dj(P)^). 

Observe that 3? is P-justified revision of 0 if and only if 3? is P'-justified 
revision of 0. Indeed, inertia 7(0,31) = {out(a) : a ^ 3?}. From Theorem 1 we 
have that 3? is P-justified revision of 0 if and only if 

NC{PU{a*^:a&I{%,Oi)}) = ^^(^(P U {out(a) a ^ 31}) = 3?^ 

From the definition of P' and the fact that NC{P U {out(a ) t— : a ^ 3?}) is 
coherent (as it equals 3l“), it follows that 

NC{P U (out(a) a ^ 3?}) = NC{P' U (out(a) a ^ 31}). 

Therefore, using Theorem 1 again, we get that 3? is P-justified revision of 0 if 
and only if 31 is P'-justified revision of 0. 

Observe that if literal out (a), for some a, occurs in the body of a rule in P' 
then out(a) € 7(0,31). Also, inertia 7(0,31) consists only of literals of the form 
out(a). Therefore, P@ 3 ^ is obtained from P' by eliminating each literal of the 
form out(a) from the bodies of the rules. 

Let Pq = P"UP"', where P" consists of all in-rules of Pg P'" = P^ j{\P" 
consists of all out-rules of Pg Note, that all rules from P" and P'" have only 
literals of the form in(a) in their bodies. Observe that if r G P'", then its head, 
head{r) = out(a) for some a G 31. By the definition, dj{P)^ is obtained from 
dj(P') by replacing each disjunctive rule by HPos <r- BPos. Therefore, 

dj{P)^ = dj{P”) U { ^ ai, . . . , ttfe : out(a) 4 - in(ai), . . . , in(afe) G P'"}. 

After this observations we are ready to prove the statement of the theorem. 
(=>) Let 31 be a P-justified revision of 0. It follows that 31 is a P'-justified revision 
of 0. Thus, 31 = 0 © NC{P^^). Assume that there exists a literal out(a) G 
NC{P^^). Since NC(P^j^) is a subset of heads of rules from Pg 3 ^, it must 
be the case that a € Oi. This contradicts the fact that the necessary change is 
coherent and 31 = 0 © NC{P^ ^). Therefore, NC{P^ consists only of literals 
of the form in(a). It implies that NC{P^ = {in(a) : a G 31} is the least model 
of P", and for every rule r G P'" there exist b such that in( 6 ) G body{r) and 
b ^ 01. Hence, 3? is the minimal set of atoms which satisfies all clauses in dj(P)^. 
Thus, 3i is an answer set for dj{P). 

( 4 =) Let 3i be an answer set for dj{P). That is, 31 is the minimal set of atoms 
which satisfies all clauses in 

dj{P”) U { 4- ai, . . . , ttfe : out(a) 4- in(ai), . . . , in(afe) G P'"}. 

Then, any subset of Oi satisfies all clauses in 

{ 4- ai, . . . , ttfe : out(a) 4- in(ai), . . . , in(afe) G P'"}. 
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Therefore, 3? is the minimal set of atoms which satisfies all clauses in dj{P"). 
Hence, {in(a) : a G 3?} is the least model of P" and satisfies P'" . Consequently, 
{in(a) : a G 31} = NC{P^ ^), and 31 = 0 © NC{P^ ^). By the definition, 3? is 
P'-justified revision of 0. Therefore, 3? is P-justified revision of 0. □ 

It might appear that the scope of Theorem 5 is restricted to the special 
case of revision programs that update the empty database. However, the shift- 
ing theorem allows us to extend this result to the general case. Thus, revision 
programming turns out to be equivalent to the unitary fragment of general logic 
programming. Indeed, we have the following corollary. 

Corollary 1. Let P be a revision program and 3 a database. Then, a database 3? 
is a P-justified revision of 3 if and only ifT'j{3V) is an answer set for the program 
djiTjiP)). 

Consider a revision program P and a database 3. A rule r G P is called a 
constraint (with respect to 3) if its head is of the form in(a), for some a G 3, or 
out(a), for some a ^ 3. 

Theorem 6. Let P be a revision program and let 3 be a database. Let P' consist 
of all rules in P that are constraints with respect to 3. Let P" = P\P'. A database 
31 is a P-justified revision of 3 if and only if 31 is a P" -justified revision of 3 that 
satisfies all rules from P' . 

Proof. By the shifting theorem it is enough to prove the statement for the case 
3 = 0. Let 3 = 0. Then, P' consists of all out-rules of P and P" consists of all 
in-rules of P. 

(=>) If 31 is a P-justified revision of 0, then 31 is a model of P. Hence, it is a 
model of P' C P. 

Theorem 1 implies that 

NC{P U {a •<— : a G /(0, 3?)}) = {in(a) : a G 3?} U (out(a) : a ^ 3?}. 

Let M = NC{P U {a •<— : a G /(0, 31)}). That is, M is the least model of 

P U {a a G /(0, 3?)} = P' U P" U {a a G /(0, 3?)}. 

By the definition of inertia, 1(0, 3?) = (out(a) : a ^ 3?}. 

We will now show that M is the least model of P" U {a •<— : a € 3?)}. 

Let us divide P' into two disjoint parts: P' = P} U P}, where heads of the 
rules from P{ are in |out(a) : a G 31} and heads of the rules from P 2 are in 
(out(a) : a ^ 3?}. For each rule r G P 2 , head{r) G 1(0, 31). Hence, there exists 
rule head{r) ^ in the set {a ■<— : a G 1(0, 31)}. Therefore, M is also the least 
model of the program 

P" U P{ U {a a G /(0, 3?)}. 

If we remove from the program some rules whose premises are false in M, 
M remains the least model of the reduced program. Let us show that premises 
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of all rules from P{ are false in M. Indeed, let r be a rule from P{. Then, 
head{r) G {out(a) : a G Jl}. Assume that premises of r are true in M. Then, 
head{r) must be true in M, since M is the model of P" U U {a a G 
1(0, Jl)}. Hence, M n {out(a) : a G 01} ^ 0, which contradicts the fact that 
M = jin(a) : a G 3?} U {out(a) : a ^ 3?}. Therefore, M is the least model of the 
program P" U {a •<— : a G 1(0, 3?)}. In other words, 

NC(P” U {a •<— : a G 1(0, 3^)}) = {in(a) : a G 3?} U {out(a) : a ^ 3?}. 

From Theorem 1 we conclude that 31 is a P"-justified revision of 0. 

(4=) Assume 31 is a P"-justified revision of 0, and 31 satisfies all rules from P' . 
Theorem 1 implies that 

NC(P” U {a a G 1(0, 3?)}) = 3?^ 

Let M = 01“^. Then, M is the least model of 

P”U{a^:aGl(0,Ol)}. 

Clearly, M is also the least model of a modified program obtained by adding 
some rules that are satisfied by M. All rules in P' are satisfied by M by our 
assumption. Therefore, M is the least model of 

P' U P” U {a a G 1(0, 3?)} = P U {a a G 1(0, 3^)}. 

Hence, 

NC(P U {a a G 1(0, 31)}) =M = 0l\ 

By Theorem 1, 3? is a P-justified revision of 0. □ 

The reason for the term “constraint” is now clear. In computing P-justified 
revisions only “non-constraints” are used. Then, the constraint part of P is used 
to weed out some of the computed revisions. 

Clearly, if 3 = 0, the constraints are exactly the out-rules of a revision pro- 
gram. We can extend the notion of a constraint to the case of unitary general 
logic programs. Namely, a unitary program rule is a constraint if its head is of 
the form not a (note that this notion of constraint is different from the one used 
in [Lif96] ) . Theorem 6 has the following corollary. 

Corollary 2. Let P be a unitary general logic program and let P' consists of all 
constraints in P. A set M is an answer set for P if and only if M is a stable 
model for P\ P' that satisfies P' . 

It follows from the shifting theorem and from Theorem 5 that in order to 
describe updates by means of revision programming, it is enough to consider 
logic programs with stable model semantics and rules with not a in the heads 
that work as constraints. 

Corollary 3. Let P be a revision program and let 3 be a database. Then, a 
database 31 is a P-justified revision of 3 if and only ifTj(3Vj is a stable model 
of the logic program dj(T'j(P) \ P') that satisfies P' , where P' consists of all 
constraints in Tj(P). 
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4.2 Disjunctive revision programs 

The results of Section 4.1 imply an approach to extend revision programming to 
include clauses with disjunctions in the heads. Any such proposal must satisfy 
several natural postulates. First, the semantics of disjunctive revision program- 
ming must reduce to the semantics of justified revisions on disjunctive revision 
programs consisting of rules with a single literal in the head. Second, the shift- 
ing theorem must generalize to the case of disjunctive revision programs. Finally, 
the results of Section 4.1 indicate that there is yet another desirable criterion. 
Namely, the semantics of disjunctive revision programming over the empty ini- 
tial database must reduce to the Lifschitz and Woo semantics for general logic 
programs. The construction given below satisfies all these three conditions. 

First, let us introduce the syntax of disjunctive revision programs. By a 
disjunctive revision rule we mean an expression of the following form: 

Ull . . . \cXm t CXrn-i-ly • ■ • ; i (5) 

where Uj, 1 <i <n are literals (that is, expressions of the form in(a) or out(a)). 

A disjunctive revision program is a collection of disjunctive revision rules. 

In order to specify semantics of disjunctive revision programs we first define 
the closure of a set of literals under a disjunctive rule. A set L of literals is closed 
under a rule (5) if at least one ai, 1 < i < m, belongs to L or if at least one 

ai, m + 1 < i < n, does not belong to L. A set of literals L is closed under a 

disjunctive revision program P if it is closed under all rules of P. 

The next step involves the generalization of the notion of necessary change. 
Let P be a disjunctive revision program. A necessary change entailed by P is 
any minimal set of literals that is closed under P. Notice that in the context of 
disjunctive programs the necessary change may not be unique. 

Recall that a database is a collection of atoms from universe U . A literal I is 
satisfied by a database i? C [/ if Z = in(a) and a € iJi, or I = out (a) and a ^ 3?, 
for some a G U. We say that the body of a disjunctive revision rule is satisfied 
by a database R if every literal from the body is satisfied by R. 

We will now introduce the notion of a reduct of a disjunctive revision program 
P with respect to two databases 3 (initial database) and 3? (a putative revision 
of 3). The reduct, denoted by is constructed in the following four steps. 

Step 1 : Eliminate from the body of each rule in P all literals in 7(3, 31). 

Step 2: Remove all rules r, such that head{r) n 7(3,31) ^ 0. 

Step 3 : Eliminate from the remaining rules every rule whose body is not satis- 
fied by 3?. 

Step 4: Remove from the heads of the rules all literals that are not satisfied 
by 31. 

We are ready now to define the notion a P-justified revision of a database 
3 for the case of disjunctive revision programs. Let P be a disjunctive revision 
program. A database 31 is a P-justified revision of a database 3 if for some 
coherent necessary change L ofP^’^, 31 = 3 (B L. Let us observe that only steps 
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(1) and (2) in the definition of reduct are important. Steps (3) and (4) do not 
change the defined notion of revision but lead to a simpler program. 

The next example illustrates a possible use of disjunctive revision program- 
ming. 

Example 3. Let us now represent the situation of Example 1 as a disjunctive 
revision program P: 



in{Ann) \ in{Bob) ^ 
out (Tom) I in{David) ^ 

out (Arm) ^ in{David) 
out{David) ^ m{Boh) 

Assume that J = {Ann, Tom}, 01 = {Ann}. Then, inertia = {in(Arm), 

out(Bob), out{David)} . The reduct = {out(Tom) ^}. The only necessary 
change of is L = {out(Tom)}. Since L is coherent and 01 = 3 ® L, 3? is a 
P-justified revision of 3 . □ 

The following three theorems show that the semantics for disjunctive revision 
programs described here satisfies the three criteria described above. 

Theorem 7. Let P be a revision program (without disjunctions). Then, 01 is a 
P-justified revision of 3 if and only ifOiisa P-justified revision of 3 when P is 
treated as a disjunctive revision program. 

Proof. For any revision program P (without disjunctions), the least model of P, 
when treated as a Horn program built of independent propositional atoms of the 
form in(a) and out(a), is closed under P. Moreover, every set of literals that is 
closed under P must contain the least model of P. Therefore, the notions of nec- 
essary change coincide for revision programs without disjunctions, when treated 
as ordinary revision programs and as disjunctive revision programs. Hence, the 
notions of justified revisions coincide, too. □ 

The definition of Tw naturally extends to the case of disjunctive revision 
programs. 

Theorem 8 (Shifting theorem). Let 3\ and 32 be databases, and let P be a 
disjunctive revision program. Let W = 3i 32- Then, is P-justified revision 
of3i if and only ifTw{0ii) is Tw{P) -justified revision of 32. 

Proof. Similarly to the case of ordinary revision programs, in computing jus- 
tified revisions for disjunctive revision programs we are dealing with literals. 
fV-transformation can be viewed as renaming these literals, which does not ef- 
fect the procedure. Therefore, the statement of the theorem holds. □ 

The embedding of (unitary) revision programs extends to the case of dis- 
junctive revision programs. As before, each literal in(a) is replaced by the corre- 
sponding atom a and each literal out(a) is replaced by not a. The general logic 
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program obtained in this way from a disjunctive revision program P is denoted 
by dj{P). 

Theorem 9. Let P be a disjunctive revision program. Then, 'Ji is a P -justified 
revision of % if and only iflR is an answer set for dj{P). 

Proof. First notice that for every 31, 7(0, 3i) is equal to {out(a) : a ^ 31}. 

Observe that step 2 in the definition of the reduct removes exactly those 
rules r for which dj (r) satisfies condition HNeg % 31. 

Step 3 removes all rules r for which dj(r^ satisfies condition BNeg fl 31 0, 

as well as rules containing in (a) in the bodies for some a ^ ji (corresponding 
disjunctive logic program rules have a in the bodies for some a ^ 3?). 

Step 1 eliminates from the bodies of the rules of P all literals that are in 
7(3,3?). In disjunctive logic program it corresponds to eliminating not{BNeg) 
parts from the bodies of the remaining rules. 

Step 4 in particular corresponds to eliminating not(HNeg) parts from the 
heads of the remaining disjunctive logic program rules. 

Therefore, dj{P)^, when compared to dj{P'^'‘^), may only have some extra 
rules, the bodies of which are not satisfied by 3?, or some extra literals in the 
heads, which are not satisfied by 3?. Hence, the statement of the theorem holds. □ 

We conclude this section with a simple observation related to the computa- 
tional complexity of a problem of existence of justified revisions in the case of 
disjunctive revision programming. We will show that disjunctive revision pro- 
gramming is an essential extension of the unitary revision programming. In 
[MT98] it was proved that the problem of existence of a justified revision in 
the case of unitary revision programming is NP-complete. Using the results of 
Eiter and Gottlob [EG95] and our correspondence between disjunctive revision 
programs and general logic programs we obtain the following result. 

Theorem 10. The following problem is IJ 2 -complete: Given a finite disjunctive 
revision program and a database 3, decide whether 3 has a P -justified revision. 

It follows that disjunctive revision programming is an essential extension of 
the unitary revision programming (unless the polynomial hierarchy collapses) . 

5 Future work 

Lifschitz, Tang and Turner [LTT97] extended the answer set semantics to a class 
of logic programs with nested expressions permitted in the bodies and heads of 
rules. It can be shown that our formalism can be lifted to revision programs 
admitting nested occurrences of connectives as well. 

The connections between revision programming and logic programming, pre- 
sented in this work, imply a straightforward approach to compute justified re- 
visions. Namely, a revision problem (P, 3) must first be compiled into a general 
logic program (by applying the transformation Tj to P). Then, answer sets to 
TfiP) must be computed and “shifted” back by means of Tj. 
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To compute the answer sets of the general logic program T'j{P), one might 
use any of the existing systems computing stable models of logic programs (for 
instance s-models [NS96], DeReS [CMMT95] , and for disjunctive case DisLoP 
[ADN97], or a system dlv presented in [ELM+97]). Some care needs to be taken 
to model rules with negation as failure operator in the heads as standard logic 
program clauses or defaults. 

In our future work, we will investigate the efficiency of this approach to com- 
pute justified revisions and we will develop related techniques tailored specifically 
for the case of revision programming. 
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Abstract. In this paper, we consider the free-variable variant of the 
calculus KE and investigate the effect of different preprocessing activi- 
ties to the proof length of variants of KE. In this context, skolemization 
is identified to be harmful as compared to the (5-rule. This does not 
only have consequences for proof length in KE, but also for the “effi- 
ciency” of some structural translations. Additionally, we investigate the 
effect of quantifier-shifting and quantifier-distributing rules, respectively. 
In all these comparisons, we identify classes of formulae for which a non- 
elementary difference in proof length occur. 



1 Introduction 

Many calculi used in the field of automated deduction rely on specific normal 
forms. The given closed first-order formula is transformed by appropriate trans- 
lation procedures into the desired normal form. Additionally, several techniques 
like antiprenexing, i.e., the shifting of quantifiers inwards in order to minimize 
the scope of quantifiers, can be applied. Since such techniques are applied prior 
to the deduction process, they are summarized under the term preprocessing ac- 
tivities. But even if a calculus for the full first-order syntax is used and therefore 
no preprocessing is necessary, simplifications like antiprenexing are sometimes 
beneficial in this case. 

Usually, recommendations for preprocessing activities are given with a certain 
(class of) calculi in mind. An example for such a recommendation is: 

If possible, apply quantifier-shifting^ rules in order to reduce the scope 
of quantifiers. 

This recommendation is justified by the fact that Herbrand complexity^ (HC) is 
never increased as long as the distribution of quantifiers is avoided. Since HC is a 

* The author would like to thank Hans Tompits for his useful comments on an earlier 
version of this paper. 

^ An example of such a rule is where x does not occur free in B. 

^ Let E be a formula without essentially universal (strong) quantifiers. Then HC is 
the cardinality of a minimal valid set of ground instances of F. 
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lower bound for the proof complexity in many cut-free calculi (like, e.g., cut-free 
LK, analytic tableau, various connection calculi), following the recommendation 
is advocated for these calculi. 

A disadvantage of all the mentioned calculi is their weakness with respect 
to finding short proofs. For instance, it is shown in [5] that the propositional 
analytic tableau calculus is weaker than the well-known truth table method, 
which itself is always exponential in the number of propositional variables of 
the input formula. This means that there exist classes of formulae for which the 
length of any analytic tableau is exponential in the size of the (complete) truth 
table. 

In order to overcome the weakness of these calculi (to some extent), a con- 
trolled integration of the cut-rule is necessary. There are many techniques which 
can be characterized by the cut-rule where the (structure of the) cut-formula is 
restricted and easily computable from the given formula (see [10] for an overview 
and references). As we will see below, this (and similar) recommendations have 
to be checked if new calculi are used because different calculi can yield extremely 
different behavior! As an example, we mention the result of Section 4.3 that 
shifting one (!) quantifier causes a non-elementary increase of proof length in a 
specific variant of KE for some class of first-order formulae. 

In this paper, we use the calculus KE in a free- variable form introduced in 
Section 3. KE has been defined in [15] (with different quantifier rules introducing 
parameters and constants). The propositional fragment was studied in [5,6]. 

A remarkable property of KE is the necessity of the cut-rule because it is its 
only branching rule. Since an unrestricted use of cut is unfeasible for proof search, 
the cut rule has to be restricted in such a way that the subformula property is 
obeyed. Indeed, KE remains complete even for highly restricted variants of the 
cut-rule. We give new and easy soundness and completeness proofs of KE with 
restricted cut-rules by providing polynomial simulations with extended variants 
of analytic tableaux. 

In Section 4, different variants of KE are compared. Moreover, skolemization 
is identified to be harmful as compared to the 5-rule. Additionally, we investigate 
the effect of quantifier-shifting and quantifier-distributing rules, respectively. In 
all these comparisons, we identify classes of formulae for which a non-elementary 
difference in proof length occur. This indicates that some techniques destroy the 
possibility to use (some forms of) cut resulting in a tremendous increase of proof 
complexity. 

In Section 5, we discuss consequences of our results for other formalisms 
like definitional (structure-preserving) translations to normal form and different 
variants of circumscription. 

2 Preliminaries 

Throughout this paper we use a standard first-order language with function 
symbols. We assume familiarity with the basic concepts including skolemization 
(see, e.g., [12] for an introduction). 
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In order to distinguish between formula occurrences in the (formula tree of 
the) input formula and substitution instances of these subformulae, we intro- 
duce the notions of s-subformulae (structural subformulae) and subformulae, 
respectively. 

Definition 1. Given a formula F, we call G an immediate s-subformula {struc- 
tural subformula) of F if either 

1. F = -iGi and G = G\, or 

2. F = Gi o G 2 (o G { A , V , ^ }) and G = Gi or G = G 2 , or 

3. F = Qx Gi (Q G {V, 3}) and G = Gi- 

The relation “is s-subformula of” is the transitive closure of the relation “is an 
immediate s-subformula of” together with the pair {H,H) for any formula F[. 
We call G an immediate subformula of F if either one of 1.-2. holds, or 

4 . F = Qx Gi and G = Gi^ for an arbitrary term t. 

The relation “is subformula of” is defined analogously. 

A remarkable peculiarity of subformulae is the “violation” of essentially exis- 
tential quantification. Assume that F := \/x P{x) is the formula to be proven, 
i.e., ->F is refuted. The indicated quantifier is replaced by a Skolem term s (by 
the skolemization procedure); hence, the resulting formula is of the form -iP(s). 
In contrast, P{t) (for an arbitrary term t) is a subformula of F, but not an 
s-subformula of F. 

Definition 2. The length of a formula F, denoted by |f|, is the number of 
symbol occurrences in the string representation of F . If A = F\, . . . , Fn then 
1^1 = Tri=l\FiV If ^ = {Fl,---,Pn} is a set with n elements then |A| = 
127=1 \Fi\- The length of a tableau derivation a, denoted by |a|, is 12sgm 
where M. is the multiset of formulae occurring in a. By #nodes(a), we denote 
the number of nodes in (tree) a. 

The logical complexity of a formula F is denoted by lcomp(T'). 

Definition 3. Let 2: IN x IN — IN 6e the hyper- exponential function with 2 q = i 
and = 2^" for all G IN. Let s: IN — IN be defined as s{n) = for all 
n G IN. 

Definition 4. A function e: IN ^ IN is called elementary if there exists a Turing 
machine M computing e and a number A: G IN such that timcM{n) < 2^ for all 
n G IN, where timeM{n) is the computing time of M on input n. 

Let us remark that the function s is not elementary. 

The following definition of a polynomial simulation (resp. an elementary sim- 
ulation) is adapted from [7] and restricted to the case that the connectives in 
both calculi are identical. 

Definition 5. A calculus Pi can polynomially simulate (elementarily simulate) 
a calculus P 2 if there is a polynomial p (an elementary function e) such that the 
following holds. For every proof of a formula F in P 2 of length n, there is a 
proof of F in Pi, whose length is not greater than p(n) (e(n)). 
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Fig. 1. Smullyan’s uniform notation. 



f f 70/) 5(/t)) t(^)if(7i) 

Fig. 2. The inference rules of KE. 

3 The Calculus KE 

We consider the free-variable variant of the calculus KE. The original calculus 
was defined in [15] (with different quantifier rules introducing parameters and 
constants). The propositional fragment was studied in [5,6]. 

For convenience, Smullyan’s uniform notation is used in order to reduce the 
number of cases. The notation is summarized in Fig. 1. Let A be a signed formula. 
If A is of the form f(B) then is t(B); otherwise, is f(B). We consider the 
KE-rules depicted in Fig. 2. In case of the y-type, y is a globally new variable. In 
case of the 5-type, z = zi , . . . , z„ are the free variables of A, and / is a Skolem 
function symbol. The right-most rule is the cut-rule; A is called the cut-formula. 

Observe that cut is the only branching rule in KE. In contrast to sequent or 
tableau calculi, where cut is a redundant rule, it is necessary in KE and cannot 
be eliminated. 

Remark 1. The KE-rules differ from the usual rules for free- variable tableaux 
(together with the cut-rule) in the rules for /3-formulae. The other rules are 
identical. 

The /3-rule in tableau is We will call the tableau calculus with this 

/3-rule, and the a-, 7-, and 5-rule from above, analytic tableau. We will also use 
analytic tableaux with the asymmetric (3-rule, which is as follows: 

/3 P 

Pi \ P2 Pi\ P2 

I PI P2 I 

As one might expect, this asymmetric branching rule simulates (some re- 
stricted form) of analytic cut by introducing (3i {i = 1,2) in both polarities 
(indicated by Pi and /3°). 

In the next two definitions, X stands either for tableau or KE. 
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Definition 6. Let S = {F\, . . . , Fm\ be a set of signed formulae. Then T is 
a A’-tree for S if there exists a finite sequence 7i,...,7n such that (i) T\ is 
the initial branch consisting of Fi, . . . , Fm, (H) %i = T, and, (Hi) for each 
1 <i < n, Ti+i is the result of a X-rule applied to (formulae from) %. 

Definition 7. Let F be a X-tree for a set of signed formulae. A branch b is 
closed if t(A) and f (A) occur on b. If A is some atom then b is called atomically 
closed. Branches which are not closed are called open. T is closed if all branches 
of T are closed. A d:’-proof of a formula F is a closed X-tree for {f(i^)}. 

In free- variable tableaux, instantiation of variables is deferred until closing a 
path. Suppose that we have two (signed) atoms t(A) and i{B) on a path b such 
that A and B are unifiable by the most general unifier (mgu) a, i.e., Aa = Ba. 
Then we can apply the closure operation, mark b closed (this is indicated by 
at the end of b) and apply the resulting mgu a to the whole tableau. The 
branch b becomes atomically closed. The same closure operation is used to close 
branches in KE-trees. 

Remark 2. It is not really necessary to restrict the closure operation to signed 
atoms. Alternatively, signed formulae can be used to close branches. The neces- 
sary unification algorithm for formulae with quantifiers has been developed in 
[17] (see also [11]). 

Lemma 1. Let F be a KE-proo/ of a formula F. Then there exists a KE-proo/ 
F' of F, F' is atomically closed and |T^| < 5 • |T|^. 

Proof. We first show property (P) below by induction on the logical complexity 
of A. 

(P) Let t(A) and f(A) be two signed formulae on the same path. Then there ex- 
ists an atomically closed cut-free KE-tree Fa for {t(A),f(A)}, nodes (7a) < 
3 • lcomp(A) -I- 2, and |7a| < #nodes(7A) • \A\^. 

Basis. lcomp(A) = 0, i.e., A is an atom. Set Fa to the initial branch and obtain 
#nodes(?A) = 2. 

Step. (IH) Assume that (P) holds for all formulae B with lcomp(i3) < n. Let 
lcomp(A) = n. In the following, we refer to cases 1-3 given below. 

Case 1. A = ^B. 

Case 2. A is an a- formula (except a negation) or A is a /3- formula. Without loss 
of generality assume that A is an a-formula. 

Case 3. A is a y-formula or A is a 5-formula. Without loss of generality assume 
that A is a 7 -formula. 

Consider the left inference figure in Fig. 3 for case 1, the middle inference 
figure for case 2 and the right inference figure for case 3. Let the last two signed 
formulae be denoted by f(S) and t{B). In all of the three cases, (IH) provides 
an atomically closed cut-free KE-tree Fb for {f(H),t(H)}. Then #nodes(?A) < 
3 -I- #nodes(7B) = 3 -I- 3 • lcomp(H) -|- 2 and (with lcomp(H) < lcomp(A) — 1) 
#nodes(?A) < 3 • lcomp(A) -|- 2. In order to estimate the length of the resulting 
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Fig. 3. Different inference figures for the proof of Lemma 1. 

KE-tree, observe that any formula in Ta bas length < \A\^ (because Skolem 
terms introduced by the <5-rule can yield a quadratic increase of length in the 
worst case). Hence, \Ta\ < (3 • lcomp(H) + 2) • \ A\^. This concludes the induction 
proof of (P). 

Let Cm be the maximal logical complexity of a formula in T and let Im be 
the length of the “biggest” formula of T. Clearly, Cm,lm < |T|, |T| > 2 and |T'| 
is estimated as follows. 

\r\ < (3 • + 2) • • in < 3 • in" + 2 • in" < 5 • in" 

This concludes the proof of the lemma. □ 

Due to Lemma 1, it is sufficient that paths are closed. We do not require that 
paths are atomically closed because we are interested in p-simulations between 
calculi. 

Definition 8. An application of cut in a tableau or KE-proof of F is called 
analytic if the cut-formula is a subformula or the negation of a subformula of 
F . An application of cut in a branch b of a KE-tree is called strongly analytic 
if (3 occurs on b, the cut formula is (3i (for some i=l,2) and neither (3\ nor P 2 
occurs on b (above the cut). A KE-tree is called analytic (strongly analytic) if it 
contains only analytic (strongly analytic) applications of cut. 

Tableaux with analytic cut is the tableau calculus extended by the analytic 
cut rule. 

Lemma 2. The calculus KE can p-simulate the analytic tableau calculus (even 
with cut). 

Proof. It is sufficient to show that the tableau rules for /3-formulae can be poly- 
nomially simulated by KE-rules. The (left) tableau /3-rule is replaced by an 
application of cut and an application of a KE-rule for /3-formulae (depicted on 
the right). 
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If, in a tableau proof of a formula F, each application of a /3-rule is replaced by 
the corresponding KE-rules, the resulting KE-proof of F has length polynomial 
in the length of the tableau proof. □ 

Observe that the right inference figure produces the same open paths as the 
asymmetric tableau /3-rule. 

Corollary 1. Any cut- free tableau proof of a formula F (even with applications 
of the asymmetric (3-rule) ean be transformed into a strongly analytic closed 
KE -tree for {f(E)}. 

Proof. Inspecting the translation described in the proof of Lemma 2 reveals that 
the indicated application of cut is strongly analytic if the corresponding branch 
b in the tableau proof contains neither /3i nor (32. If b contains one or both 
of the latter formulae then the application of the /3-rule in the tableau proof is 
superfluous and can be deleted. As a result, we get a simpler and shorter tableau 
proof which is used for the translation. □ 

Corollary 2. Any tableau proof of a formula F with analytic cuts can he trans- 
formed into an analytic closed KE-tree for {f(E)}. 

Proof. Obvious. □ 

Lemma 3. The tableau caleulus with eut ean p-simulate the calculus KE. 

Proof. It is sufficient to show that the KE-rules for /3-formulae and cut can be 
polynomially simulated by tableau rules and cut. Any application of cut in the 
KE-proof is replaced by cut using the same cut formula. The (left) KE-rule for 
/3- formulae is replaced by an application of the /3-rule (depicted on the right). 
We show only one KE-rule; the other rule is handled similarly. 

P 
01 

/ \ 

Pi P2 

* 

If, in a KE-proof of a formula F, each application of a rule for /3-formulae 
is replaced by an application of a /3-rule, the resulting tableau proof of F has 
length polynomial in the length of the KE-proof. □ 

Corollary 3. The tableau calculus with analytic cut can p-simulate analytic KE. 

Proof. Obvious. □ 

Corollary 4. The tableau calculus with the asymmetric (3-rule ean p-simulate 
strongly analytic KE. 

Proof. It is sufficient to show that strongly analytic cuts can be polynomially 
simulated by the asymmetric /3-rules. The (left) strongly analytic cut is replaced 
by an application of the asymmetric /3-rule (depicted on the right). We show 
only one case; the other is handled similarly. 



01 

I 
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If, in a KE-proof of a formula F, each application of strongly analytic cuts 
is replaced by an application of the asymmetric /3-rules, the resulting tableau 
proof of F has length polynomial in the length of the KE-proof. □ 



Theorem 1. The calculus KE is sound and complete. The same holds if all 
applications of cut are analytic or strongly analytic. 

Proof. By Lemma 2, Corollary 1, Corollary 2, and Lemma 3. □ 



4 Comparisons 

In this section, we compare strongly analytic KE with analytic KE. Moreover, the 
influence of skolemization, quantifier-distributing rules and quantifier-shifting 
rules with respect to the complexity of minimal strongly analytic KE-proofs are 
investigated. It turns out that many suggestions for the use of quantifier rules 
should be carefully inspected if strongly analytic KE is used. 

4.1 Preparatory Results 

Let us first define Fn and recapitulate some facts about the length of its proofs 
in sequent systems and analytic tableaux. 

Definition 9. Let (E'„)„g]N be a sequence of formulae with 

Fn = Va: ((Vwoduo P{wo,x,vo) A C{x)) Bn{x)) 

C{x) = Vuvw {3y [P{y, x, u) A 3z {P{v, y, z) A P[z, y, w))) P{v, u, w)) 
Bn[x) = 3Vn iP{x, X, U„) A 3Vn-l {P{x, Vn-l) A . . . A 3uo P{x, Vi, Vq)) ■ ■ ■)■ 



The following theorem is a corollary of Theorems 1 and 4 in [16]. 

Theorem 2. Let F^ := (Vwq P{wo,b, g{wo)) A C{b)) — )■ R„(6) be the skolem- 
ized form of Fn. Let </)„ be any proof of Fn or F^ in a cut- free analytic tableau 
calculus. Then, |</>n| > 2 • s(n). 

In [16], Orevkov provides a short proof of Fn (in sequent systems) with 
exactly one application of the cut-rule and the number of sequents in this proof 
is linear in n. 

Let Cn be the cut-formula in this proof with one free variable x. The cut- 
formula Cn = An (x) is defined inductively as follows. 
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Ao{a) = '^wo3vo p{wo, a, vq) 

Ai+i{a) = \/wi+i (Ai{wi+i) ->• Ai+i{wi+i,a)) 



Ao{a, S) = 3tio p(a, S, vq) 

Ai+i{a,S) = 3vi+i (Ai{vi+i) A p{a,S,Vi+i)) 



It is well known that cuts can be eliminated with only a minor overhead if 
the change of the formula to be proven is allowed. The new formula in our case 
is then 



The effect of cut with cut-formula Cm e.g., in an analytic tableau proof, can 
be simulated by an application of the 7 -rule and an application of the /3-rule. 
Hence, the modified formula possesses short proofs in analytic tableaux and cut- 
free sequent systems. The (structure of a) short proof of this formula in strongly 
analytic KE is as follows: 



It is important that (an instance of) the cut-formula occurs in both branches 
indicated in the above tableau (in different polarity). 

Let be constructed from Fn by adding an additional unique variable 
argument at the first position of any literal occurring in Fn such that this newly 
introduced variable z is globally new. Furthermore, the same procedure is applied 
to Cn — t Cn resulting in D'n — t D'n- Let := 3zVx [D'n — 5* D'n) and 
Gn :='iz G'n- Observe that all occurrences of the newly introduced variable 
are replaced by Skolem terms if the respective subformula is decomposed in the 
construction of a closed analytic tableau. 

We show that any analytic (or strongly analytic) KE-proof of Fn or Gn has 
length greater than s(n — c) for some constant c. We proved the following result 
as Lemma 5 in [10]. 

Lemma 4. Let (j)n be a proof of Fn or Gn in tableau with analytic cut. Then, 
for sufficiently large n, \<pn\ > 2 • s(n — c) for some constant c. 

Due to the existence of p-simulations of tableaux with analytic cut by analytic 
KE (see Corollary 2) and vice versa (see Corollary 3), we get the following 
corollary. 

Corollary 5. Let </>„ be an analytic or strongly analytic KE-proof of Gn or Fn- 
Then, for sufficiently large n, \<f>n\ > s(n — d) for some constant d. 



{Vx (Cn Cn)) Fn- 



f((Vo: (Cn ^ Cn)) ^ Fn) 



t(yx (Cn ^ Cn)) 
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4.2 On Skolemization and the 5-rules in KE 

In variants of KE and analytic tableaux, the 5-rule is used to remove occurrences 
of essentially existential quantifiers dynamically. This is in contrast to most other 
calculi (like resolution) which require the input formula to be skolemized in ad- 
vance. Skolemization is performed as a preprocessing activity prior to the “de- 
duction process” even in analytic tableau systems like [4]. Such a preprocessing 
skolemization is considered to be more efhcient than a dynamic 5-rule because 

(i) it causes the removal of applications of the 5-rule from the search space, and 

(ii) it is a computationally inexpensive operation. 

In KE, however, instead of preprocessing skolemization, applications of the 
5-rule can yield drastically (non-elementary) shorter proofs and search spaces. 
We investigate this phenomenon in the following. 

Reconsider and from above. We use the formula 

:= (VzVa; (£»; ^ D’J) A G„. (1) 

It is immediately apparent that any proof of /„ in cut-free standard analytic 
tableau calculi is non-elementary. There exists, however, a short proof of in 
tableau with analytic cut. 

Lemma 5. There exists a strongly analytic KE-proo/ </>„ of (1) such that the 
length of (f>n is < c ■ 2'^'” for some constants c, d. 

Proof. The proof (f>n is as follows: 



f(VzVa; 




t{D'„ 



D'rd) 



D' 



t(^;: 



f(^;: 



The proof is divided into two main parts, namely the closed left subtableau and 
the closed right subtableau below f(/„). Since \D'.^\ is exponential in length (with 
respect to n), an exponential length of the left closed KE-tableau follows from 
property (P) in the proof of Lemma 1. Observe that the two indicated variables 
z and X are replaced by Skolem terms by applying the 5-rule. 

In the right subtableau, f(/n) is decomposed resulting first in f(G„) and 
then in on the branch. Observe that s is a Skolem constant introduced 

by the 5-rule. By an application of the strongly analytic cut-rule, we get two 
branches: one with f(G(jj) and t{D!^) and another one with f(G(jj) and 
Now we have a similar situation as in Orevkov’s short LK-proof with cut. The 
exponential length of the whole proof follows. □ 
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An important feature in the KE-proof is the “change of quantification”, i.e., a 
(5-formula in the left branch of a (strongly) analytic cut becomes a 7 -formula 
in the right path (and vice versa). Let us consider the skolemized form of the 
negation of ( 1 ), namely 

:= -((Z?ii) ^ A {G'X)- ( 2 ) 

The property to “change the quantification” is lost by the introduction of Skolem 
terms prior to applications of (strongly) analytic cut. The following lemma can 
be proved with the same technique as Lemma 5 in [10]. 

Lemma 6. Let (j)n be a (strongly) analytic KE-proof of I'^. Then, for sufficiently 
large n, \<f>n\ > 2 • s{n — c) for some constant c. 



Theorem 3. There exists a sequence (/n)n 6 iN of first-order formulae such that, 
for sufficiently large n, the following holds: 

1. There exists a (strongly) analytic KK-proof (f>n of In of length < c • 2'^'" for 
some constants c and d. 

2. Any analytic KE-proof ifn of the skolemized form of In has length > s(n — c) 
for some constant c. 

Although applications of the (5-rule slightly enlarge the search space, dynamic 
skolemization can yield a drastically better behavior. The reason is the destruc- 
tion of cut-formulae by the newly introduced Skolem terms. More precisely, an 
application of the (strongly) analytic cut results in one path with a (5-formula and 
in another path with the corresponding 7 -formula. If skolemization is applied as 
a preprocessing activity, the (5-formula has been replaced by the corresponding 
(5i-formula with a Skolem term. This Skolem term is also present in the cut 
formula of the (strongly) analytic cut. 

We stress that the result does not depend on a specific optimized (5-rule; 
even simple forms like the J-rule suffices. The reason for the independence from 
the variant of the (5-rule is simple: only Skolem constants are introduced for 
the additional quantifier occurrences because they do not occur in the scope of 
essentially universal quantifiers. 



4.3 Quantifier-rules and Proof Complexity 

What happens if quantifier-distributing rules like 

Wx {A A B) 3a; {A V B) 

(Va;A) A {Vx B) (3a; A) V {3x B) 

are applied to the following formula, where a = {^\z'} and pL = {z\f{z')}-, 



W (Va; [D'n ^ D'n)a A G^p) 



( 3 ) 
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In [3], a formula is defined for which the Herbrand complexity is slightly 
increased if quantifier-distributing rules are applied. Since Herbrand complexity 
is a lower bound for most of the analytic cut-free calculi like analytic tableau, cut- 
free sequent systems etc., this result implies an increase of proof complexity in 
all of these calculi. But even for resolution with its atomic cut-rule, an increase of 
proof complexity is observable. In [8] , it is shown that resolution proof complexity 
is exponentially increased for some classes of formulae if quantifier-distributing 
rules are applied. 

When strongly analytic KE is applied, things are extremely different. There 
are only non- elementary strongly analytic KE-proofs of (3). The reason is that 

Vx (D; ^ D'Ja' A Cy 

results from the elimination of Vz', where a' = {z\c} and /i' = {z\/(c)}, and 
the instance Va: {D'^ — >■ D'^)a' cannot be used for a short simulation of cut. 

In contrast, there exists a short proof (in the same calculus) of 

Vz' Vx (ZJ; ^ D'^)a A Vz' (4) 

with a similar structure like the proof of in Lemma 5. Obviously, (4) can be 
obtained from (3) by an application of the quantifier-distributing rule above. As a 
result, the application of quantifier-distributing rules can cause a non-elementary 
decrease of proof length in strongly analytic KE! 

The reason why HC or resolution proof complexity is increased is a dupli- 
cation of (nearly) identical formulae or proofs. For instance, if E = Va; {p{x) A 
p(x)) V 3y p{y) is the original formula, G = {\fx p{x) A \fx p{x)) V 3y p{y) the 
formula obtained by applying a quantifier-distribution rule, then two instances 
of the existentially quantified formula are required in the latter case (for the 
skolemized form of G), whereas only one such instance is required in the former 
case (for the skolemized form of F). Our result here is based on a completely dif- 
ferent effect, namely the quantification of cut-formulae, together with the effect 
that (5-formulae in the “false” part become y-formulae in the “true” part. 

In the above discussion, only quantifier-distributing rules are considered. 
What happens if quantifier-shifting rules like 

Va; {A o B) Va; (A o B) 

(Va; A) oB Ao^xB 

(where x does not occur (free) in B and in A, respectively) are applied. It 
is shown in [3] that Herbrand complexity is not increased by applications of 
such rules. Here, however, we get a non-elementary increase of proof length if 
we apply quantifier-shifting rules in order to minimize the scope of quantifiers. 
Hence, antiprenexing, i.e., the movement of quantifiers inwards, is not always 
beneficial, even if only quantifier-shifting rules are applied. 

Let us consider the formula 

(3z Va; {D'^ ^ D'J) A G„ (5) 

and observe that the indicated 3z belongs to a q-formula. Hence, we have 
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i{{3z ~ix {D'^ ^ 7?;)) A G.) 

t(3Wa; (E>; ^ D'^)) 

I 

f(G„) 

zx 

The indicated right KE-subtree is non-elementary in n. This is an immediate 
consequence of the construction of Gn, the fact that the two indicated 
subformulae are J-formulae, and Lemma 4. 

Consider the following formula 

3^ {^x (d; ^ D'J) A G„). (6) 

and observe that formula (5) can be obtained from formula (6) by applying 
quantifier-shifting rules. The indicated quantifier 3z in (6) is prenexed. Surpris- 
ingly, the latter formula has a short strongly analytic KE-proof. The reason is 
the new “global” quantifier 3z which is outside the top-most /3-formula. Observe 
that the elimination of this quantifier occurrence results in a new free variable 
but this variable does not have any effect when quantifiers in G„ are removed (by 
the (5-rule). Moreover, the free variable z va. E = \/x {D'^ D'^) is not bound 

in the course of a short strongly analytic KE-proof of E. Consequently, this 
free variable can be bound to the constant c introduced for the (first) quantifier 
occurrence \/z in Gn- 

Unfortunately, there are also cases where the application of quantifier-shifting 
rules decreases proof complexity in strongly analytic KE non- elementarily. Con- 
sider the formula 

{'dx {D'^ ^ D'J A G„) (7) 

and observe that different Skolem constants are introduced for z in (Va; {D'^ — ^ 
Z3(j) and G'^, respectively. Hence, the cut-formula also contains a Skolem term 
for z which is different from the Skolem term for z in G'^. Therefore, any strongly 
analytic KE-proof of (7) is non-elementary. In contrast, there are short strongly 
analytic KE-proofs of 

Vz Va; (D; ^ D'J A G„ (8) 

which is obtained from (7) applying a by quantifier-shifting rule. 

5 Consequences for Other Formalisms 

Although the results presented so far seem to be restricted to variants of the 
KE-calculus, they have implications for other mechanisms. In the following, we 
discuss two, namely structural translations to normal form and circumscription. 

Let us first consider the structural translation 7struc from [12]. This trans- 
lation is intended to be an optimized and simplified version of the translation 
used in [2] . The optimization (with respect to the length of the resulting normal 
form!) is to transform formulae in (skolemized) negation normal form into a set 
of clauses by introducing new abbreviations for subformulae. Usually, structural 
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translations [7,9] are not restricted to negation normal form but apply to arbi- 
trary closed first-order formulae. The important point here is that the restriction 
causes a non-elementary increase of proof length. This increase not only applies 
for (strongly) analytic KE but also for many other calculi (even with analytic 
cut). The main reason is that instances of {Dn'^ — >■ Dn^)^ from the skolemized 
variant of /„ no longer simulates instances of the required cut rule. 

Circumscription [14] is a technique to formalize a nonmonotonic behavior of 
a reasoning agent. The basic principle is the completion of an implication to an 
equivalence. Usually, second-order logic is needed for a formalization, but there 
are restricted classes of formulae, e.g., the class of solitary formulae, for which 
circumscription can be formalized in first-order logic [13]. 

Let P be an n-ary predicate symbol, and let x := xi, . . . ,Xn be a list of 
n variables. A formula is solitary in P iff it is equivalent to a formula of the 
following normal form N{P) AVx {E{x) -A P{x)). N{P) is a formula which has 
no positive occurrences of P (but which may admit negative occurrences of P), 
and E{x) is a formula with no occurrences of P whatsoever. Lifschitz proved 
that the two formulae 

El = C1RC{N{P) AVx iE{x) -A P{x)),P) 

F 2 = N{P) A Vx {E{x) AA P{x)) 



are equivalent. 

Since the introduction of equivalences has strong connections to extensions, 
which in turn can be used to simulate the cut-rule [18,7,1], circumscribed for- 
mulae have (some forms of analytic) cut “compiled” into them. Since solitary 
formulae are those formulae which are logically equivalent to the form above, 
the concrete formula has to be determined. Here, however, care has to be taken 
because slightly differing variants of the cut-formula can have severe impact on 
proof length. Our results imply that slightly differing variants of circumscription 
yields formulae for which HC is extremely different. 

6 Conclusion 

We showed that some preprocessing activities can be harmful if strongly ana- 
lytic KE-proofs are considered. This highly restricted variant of KE is a good 
candidate for implementing automated deduction systems. The propositional 
fragment can be considered as a non-clausal Davis-Putnam proof procedure, 
and the first-order variant corresponds to a slightly extended variant of analytic 
tableaux. 

In contrast to what is recommended in the literature, quantifier-shifting rules 
have to be applied carefully. The same holds for other preprocessing activities 
like skolemization. In our context here, the “dynamic” J-rule can behave “non- 
elementarily better” than skolemization. 

The results of our comparisons indicate that preprocessing activities have to 
be considered together with the underlying calculus. Moreover, even slight mod- 
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ification of the input formula (one quantifier is shifted) can yield a tremendous 
non-elementary increase of (minimal) proof length. 
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Abstract. Achoiceconstructcanbeaddedtofixpointlogictogive a 
more expressive logic, as shown in [GH], On the other hand, a more 
straightforward way of increasing the expressive power of fixpoint 
logic is to add generalized quantifiers, corresponding to undefinable 
properties, in the sense of Lindstrom. The paper studies the expressive 
power of the choice construct proposed in [GH] in its relationships to 
the logics defined with generalized quantifiers. We show that no 
extension of fixpoint logic by a set of quantifiers of bounded arity 
captures all properties of finite structures definable in choice fixpoint 
logic. Consequently, no extension of fixpoint logic with a finite set of 
quantifiers is more expressive than the extension of fixpoint logic with 
choice construct. On the other hand, we give a characterization of 
choice fixpoint logic by an extension of fixpoint logic with a 
countable set of quantifiers. 



1 Introduction 

An interesting open problem in finite model theory is whether there is a 
reasonable logic which captures exactly those properties of finite structures that are 
PTIME-computable. It is known that if we consider only ordered structures then 
fixpoint logic, FP, the extension of first-order logic by means of an inductive 
operator, is sufficient to solve the problem [Imm,Var]. However, on unordered 
structures, there are a lot of PTIME properties that are not definable by fixpoint 
logic. Therefore, it is essential to explore the expressive power of extensions of 
fixpoint logic by means of various other operations. Such extensions have not only 
to be strong enough to capture these properties but have also to be computationally 
feasible. There are several methods to define such extensions in the literature , in 
particular the Lindstrom method and the non-deterministic method. 

The first one, having its origin in traditional model theory, is a well-established 
method which enriches a logic by adjoining to it generalized quantifiers 
corresponding to undefinable properties. Generalized quantifiers were first 
introduced by Mostowski [Mo] and the general definition for quantifiers was given 
by Lindstrom [Lin]. According to Lindstrom, any property of structures of some 
fixed finite vocabulary can be taken as the interpretation of a quantifier. For 
example, the Hartig quantifier y(c|)(x),\|/(y)) is interpreted as "the number of 

elements atisfying (|) is qual b thenumberof efements atisfying \|/”. Aquantifier 
Q can bind several variables in one or several formulas. One says that Q is n-ary if it 

G. Gottlob, EGrandjean,K.Seyr(Eds.): CSL'98,LNCS1584,pp. 105125, 1999 
©Sp ringerVerlag BbrlinHeidelberg 1999 
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binds at most n variables in each formula. The problem of adding generalized 
quantifiers to fixpoint logic is discussed in [KV] and [Hel]. Usually, fixpoint logic is 
defined in terms of least fixpoints of formulas in which a relation symbol occurs 
only positively. However, in the presence of qnantifiers that are not necessarily 
monotone, positivity is no longer a gnarantee of monotonicity. Therefore, in 
considering extensions of inductive logic by means of generalized quantifiers, one 
uses the inflationary version of fixpoint logic [GS]. The resulting logic is denoted as 
FP(Q). The expressive power of extensions of fixpoint logic with various sets of 
generalized quantifiers has been stndied intensively. Kolaitis and Vaananen showed 
in [KV] that there is a PTIME-computable property which is not definable in the 
extension of FP with all unary qnantifiers. Hella showed in [Hel] that there is a 
logical hierarchy between FP and PTIMF in the sense that for any integer n there is 
a PTIMF computable property of finite structures which is not definable in FP(Q) 
for any set Q of n-ary qnantifiers. In particular, this rules out the possibility of 
capturing PTIMF by a logic obtained from fixpoint logic by adding a finite number 
of quantifiers. 

Another method of extension is based on the introduction of non-deterministic 
constrncts. The use of this kind of constructs in logics has a long history going back 
to the 8-symbol, introduced originally for proof theory by Hilbert. (See [Cai] for a 
discussion of its relationship to generalized quantifiers.) Roughly speaking, non- 
deterministic constructs provide the ability to choose, while defining a predicate, just 
one ont of several candidates. The use of non-determinism in finite model theory is 
an interesting approach to obtain efficient and more expressive logics, as shown in 
[AB],[AV]. In fact, it is proved there that all PTIMF-computable properties of finite 
structures can be defined by fixpoint logic extended with a choice operator. Bnt, 
unfortunately, this does not mean that one obtains a logic for PTIMF: this non- 
deterministic extension of fixpoint logic defines also formnlas that may have many 
different interpretations for a given input structure, and it is undecidable whether a 
formula of this logic defines a nnique interpretation on every strncture. A more 
reasonable choice construct has been proposed in [GH] to solve this drawback. This 
non-deterministic construct, called symmetry-based choice, allows to choose an 
arbitrary tnple satisfying a given formulas, provided that for each pair of tuples 
satisfying it there is a definable automorphism mapping the tuples to each other. 
This restriction guarantees that the semantics of the choice fixpoint logic is 
deterministic, and all queries definable in it are computable in PTIMF. Moreover, it 
is proved in [GH] that the closure under interpretation of the choice fixpoint logic is 
strictly stronger than FP-tCount, the extension of fixpoint logic with the counting 
operator, proposed in [Imm]. This extension of fixpoint logic with symmetry-based 
choice construct seems therefore to be an interesting approach to study the gap 
between FP-nCount and PTIMF. In fact, it is still unknown whether there is a PTIMF 
property of finite strnctnres that cannot be defined by this logic. 

The goal of this paper is to study the expressivity of the symmetry-based choice 
construct proposed in [GH] in its relationships to the logics defined with generalized 
quantifiers^. Our main result is that the logic defined with the choice construct in 



*The relationship between choice operator and generalized quantifiers in the context 
of general non-determinism is studied in [Cai]. 
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[GH] cannot be captured by any extension of fixpoint logic with a set of quantifiers 
of bounded arity (consequently, nor with a set of a finite number of quantifiers). 
This means that the logic of [GH] is not contained in the logical hierarchies defined 
by Hella [Hel]. Note that by the result of [Hel] a necessary condition for a logic to 
capture PTIME is to have such a position in these hierarchies. On the contrary, we 
show that the restriction of choice fixpoint logic to formulas with bounded number 
of variables can be captured by fixpoint logic extended by a finite number of 
quantifiers. This result helps us to characterize the choice fixpoint logic by an 
extension of fixpoint logic with a countable set of quantifiers. 

2 Generalized quantifiers and logical reduction operator 

In this section, we provide a brief introduction to the notion of generalized 
quantifiers, as defined by Lindstrom [Lin], and ealier results concerning the 
expressive power of generalized quantifiers in the context of finite model theory. We 
introduce also the notion of logical reduction which plays an important role in both 
methods of extending logics considered in this paper. 

Generalized quantifiers provide the means to assert structural properties of 
definably interpreted structures. We therefore first define the notion of interpreted 
structures. 

Definition 1. Let us consider a signature T = <Rj,...Rj^>, with Rj of arity rj and a 
tuple of formulas n = ((pj,...,(Pf,), where each formula tpj has a tuple of variables x of 
arity q . Over structures A of appropriate signature o each tpj defines an rj-ary 

predicate (pj[A] := [a g A*^i , A |= tpj (a)}, where A is the universe of A. We take Jt to 
interpret the following structure of signature T over A: 

7t[A] := (A,(pi[A] ....,(Pn[A] ) 

As usual, the formulas may have other free variables than the ones displayed, these 
are then regarded as parameters in the interpretation. 

A generalized quantifier is associated with an isomorphism-closed class K of 
structures that represents the structural property at issue. This quantifier binds 
formulas which are apt to interpret structures of the signature appropriate for K. 
Semantically such a quantifier allows to assert membership in K of the interpreted 
structure. More formally, let K be of the signature T = <Rj^,...Rjj>, with Rj of arity rp 
The syntax of any logic L can be extended to allow the construction of formula 

¥ := QK^L-An ((Pl(xi)....,9n(Xn)) 



with semantics: 



A 1= \|/ iff jt[A] G K 
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The logic obtained by closing L with the above formula formation is denoted by 
L(Qk)- For a set of generalized quantifiers Q, we write L(Q) for the extension of the 

logic L by all the quantifiers in Q. 0 

The problem of adding quantifiers to fixpoint logic is dicussed in length in [KV] 
and [Flel]. As mentioned in the introduction, in considering extensions of inductive 
logic by means of generalized quantifiers, one uses the inflationary version of 
fixpoint logic, the resulting logic is denoted by FP(Q). 

Let Loom be the usual infinitary logic which is obtained from first-order logic by 
allowing conjunction and disjunction over arbitrary sets of formula. Adding a set of 
quantifiers Q to Loom we obtain the logic Loow(Q). The logic L^m(Q) consists of 
those formulas of Loom(Q) which contain a finite number of different variables. A 
straightforward modification of the proof that FP is contained in L^m shows that for 
any set of quantifiers Q, FP(Q) is contained in L“m(Q). 

The arity of a quantifier Qj^ associated to a class K of structures of signature T is 
max{arity(Rj) | Rj g t). Here are some examples of generalized quantifiers, (a) 
Counting qiantifiers : For eah natural nunber n let K jj be the set of all finite 
structures (A,P) such that P c A has at least n elements. The counting quantifier 
QKjjIs usually written more intuitively as 3-*^. (b) The Hdrtig quantifier is the 

quantifier which is determined by the class of all structures (A,P,S) such that P,S 
c A and |P|=|S| . 

It is interesting to note that one can associate to each operator T an equivalent set 
of generalized quantifiers: 

Fact 1. Let T: Struct(o)^ Struct(£2) be an isomorphism preserving mapping of 
structures over o to structures over Q, such that for any structure A over o, 
dom(T(A))c dom(A). There is a finite set Q of quantifiers such that the mapping 
defined by the operator T is definable by a set of formulas of FO(Q). 

Proof: Suppose that o ={R]^,..,Rjj} and Q = 

For each l<i<m, we define the class Kj of structures over ou{Xj}as follows: 

For any structure A over o , the structure <A,Sj> belongs to Kj iff Sj contains only 
one tuple which is a tuple of T(A)[Xj]. 

Similarly, we define the class Kq as follows: For any structure A over o, the 
structure <A,Sq> belongs to Kq iff Sq contains only one element which is an 
element of dom(T(A)). 

For each 0<i<m, let Qj be the quantifier associated to the class of structures Kj. Let 
us consider the following formulas \|/j 's of FO(Q): 

¥i(X)= Qi zi,..,ZnY(Rl(Zl)>--Rn(Zn)>X=Y) . 
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One can verify that for each structure A over O, t|/o[A] defines dom(T(A)) and for 
each l<i<m, \|/i[A] = T(A)[Xj]. 0 

The following result is a direct consequence of a result in [CFI] which showed 
that it does not suffice to add counting to fixpoint logic in order to express all 
PTIME properties. 

Theorem 1. ([CFI]) There is a polynomial time graph property that is not 
expressible in L^h,(C), where C is the set of all unary counting quantifiers. 

Hella established the following result, which generalizes Theorem 1 . 

Theorem 2. ([Hel]) Given any set Q of generalized quantifiers of bounded arity, 
there is a PTIME property of structures that is not definable in L“o,(Q). 

There are some connections between results on generalized quantifiers and the 
notion of logical reduction. The latter means reductions between problems that can 
be expressed in a logical language. The notion is derived from the idea of 
interpretations between theories and was used in [Imm], [Daw], [GH]. Let us 
consider the classes of structures defined in the Definition 1. Each tuple of formulas 
71 can be considered as an interpretation of T in o, that is, a map from structures over 
O to structures over x. If C is the class of structures over o defined by the formula \|/ 
in the Definition 1, then it is easily seen that the decision problem in C can be 
reduced to that in K, the class of structures over x associated to the quantifiers Qj^. 
In general, an interpretation may not preserve the domain of structures. The 
following definition of interpretation and logical reducibility generalizes that of 
Definition 1. 

Definition 2. Let o and x be two signatures, where x = <Rj,...Rj^>, with Rj of arity 
rj. An interpretation of x in o is a tuple 7t = ((pj,...,(Pjj) of formulas over the signature 
O such that, for l<i< n, each tpj is of arity kjrj, for some kp This interpretation 
defines a map, 7t , from structures over o to structures over x as follows: 

If A is a structure over o , with universe A , then 7i(A) is a structure over x whose 
universe is A^^l u...u A^^n and, for I<i< n , 



7t(A)(Rj) := |(ai,...,arj ) | ai,...,a^j gA^i and A |= tpj (a 2 ,...,a^j )} 



A class Cj of structures over O is said to be L-reducible to a class C 2 of structures 
over X , if there is an L-interpretation Jt of x in o such that A g iff Jt(A) g C 2 - 0 
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(Note that the above definition of interpretation is slightly different from the 
standard one in which one uses only one parameter k to define the universe of 
7t(A),i.e., kj = kj for all i,j ). 

The notion of logical reduction may be used in different ways. On the one hand, 
as proposed in [Daw], this notion can be used to define for each class C of structures 
over <Rj,...Rjj> a uniform sequence of quantifiers (Qj^ | k eco}. Each Qj, of this 
sequence is the quantifier associated to the class Cj^ of structures which can be 
reduced to C by a reduction of size k. More precisely, Cj, is the class of structures 
over <R'p...R'jj>, where arity(R'j) of is k.arity(Rj) = k.rj , such that A is in Cj^ iff the 

structure 7t(A) is in C, where 7i is a natural reduction of A on the universe of k-tuples 
of A ;i.e, for each i. 



Jt(A)(Ri) := {(ap...,aj.j) I ap...,aj.jeAk and A |= Rj (ap...,aj.j )} . 

The notion of a uniform sequence of quantifiers is a natural extension of the notion 
of a generalized quantifier associated with a class of structures which overcomes the 
limitations of collections of quantifiers of bounded arity. 

On the other hand, logical reduction can be considered as a natural method to 
extend a logic, as shown in [GH], This method enriches a logic by the reductions 
which are definable by the logic itself. More precisely, the extension is based on the 
introduction of a so-called logical reduction operator, denoted by I (for 
interpretation), and is defined as follows. 

Definition 3. [GH] Let L be a logic, o, x be two signatures, 0 be an L-sentence over 
T , and 7t = ((pj,...,tpj^) be an interpretation of x in o, defined as in Definition 2, such 
that (pj,...,tpjj are L-formulas. The syntax of L can be extended to allow the 
construction of formulas of the form 

\|/ := I xi,...,x„ ((pi(xi)....,(pjj(x„) ; 0 ) 

whose semantics is defined as follows: 



A 1= \|/ iff 71(A) 1= 0 

The logic obtained by closing L with the above formula formation is denoted 
by L H- 1. 

It should be noted that the closure under logical reduction is more general than 
the closure under substitution defined in [Ebb]. In fact, substitution is a reduction 
with size 1. As from an observation in [Kry], given a class of structures C, L(Qq)h- I 
captures the extension of L with the uniform sequence of quantifiers associated to 
the class C defined above, while the closure of L(C) under substitution is L(C) itself 
if L is regular. The logical reduction operator also plays a significant role in the 
context of logics with choice construct, as we will see in the next section. 
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3 Extension with the choice construct 

In this section, we review the basic concepts of the method of logical extension 
with the choice construct proposed in [GH]. 

As presented in the introduction, the use of non-determinism in finite model 
theory is an interesting approach to obtain more expressive logics. Indeed, one of the 
main drawbacks of traditional logics is the fact that they cannot distinguish between 
equivalent tuples of a structure, i.e. tuples that agree on all first-order formulas and 
therefore are logically inseparable. This aspect of traditional logics seems to strongly 
limit their expressive power. For example, evenness is a query that cannot be 
defined by fixpoint logic, although it is easily computed, simply by enumerating the 
elements of the structure while keeping a binary counter. Non-determinism offers a 
natural way to define efficiently such properties of structures, using a choice 
construct. In [AV] this construct is defined as follows: let 0(x) be a formula, then 
W^<I>(x) is a formula whose semantics on a structure B is a set of interpretations 

each of which corresponds to a tuple of 0[B]. Roughly speaking, the choice 
construct applied to a formula chooses an arbitrary element among those of the 
structure that satisfy the formula, i.e., it distinguishes between this element and the 
others. It is therefore possible using fixpoint together with the choice construct to 
define an order on a structure. In [GH], this choice mechanism is integrated to the 
inflationary fixpoint operator to get an operator, called inflationary choice fixpoint 
and denoted by IFP^ , as follows: 



Definition 4. [GH] Let T'(x,S,T),0(y,S,T) be FO-formulas over o u|S,T], such that 
the arities of S and T match the free variables x and y respectively. The formula 

IFPc[S,T]('F,0) 

defines on each input structure A over a a relation which is the limit of a 
sequence of relations computed as follows: 



So=To = 0, 

For i > 0, 

Tj^j = choice(Oj) , = Sj u T'j , 

where Oj = 0[Aj], T'j = T'[Aj] , Aj is the structure A expanded with Sj and Tj, and 
choice(R) is an operator that returns an arbitrary tuple of R. 0 

In general, a formula of FOh-IFP^. has many interpretations on a given structure 
and therefore cannot be used to define a property of structures in the traditional 
sense. A more reasonable non-determinism is used in [GH] to overcome this 
drawback. The choice mechanism is used only to distinguish between equivalent 
elements of a structure, i.e., elements that are interchangeable by an automorphism 
of the structure. Evidently, computations using this choice mechanism are usually 
unfeasible because they involve automorphism tests between elements of a structure. 
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However, a low complexity choice mechanism can be defined by including as a 
witness, in the choice operator, a formula which defines the required automorphism. 
So the choice is triggered on a set of elements only if the mappings defined by the 
formula are the automorphisms of the structure that interchange the elements of this 
set. Formally, given a structure B and two relations R<j) and Rp such that the arity of 

R<j) is m and the arity of Rp is 2m+2, we define a function choice(B,R(j),Rp) as 
follows: 

For any two m-tuples u,v, let us denote by Fjj y the binary relation containing 
the 2-tuples (x,y) such that Rp(u,v,x,y). The function choice(B,R(j),Rp) 
returns an arbitrary m-tuple of R<j>, if for any m-tuples a and b in R(p, the 
mapping whose graph is F^p is an automorphism of B that maps a to b, 
otherwise the function returns empty. 

This symmetry-based choice construct is feasible because the test whether a 
mapping is an automorphism is realisable in polynomial time. 

The inflationary choice fixpoint operator using this specified symmetry-based 
choice construct is denoted by IFP.^^. It is defined in the same way as IFP^. in 
Definition 4, except that the function choice(<I>j) is replaced by choice(Aj,<I>j,Fj). 

Definition 5. [GH] Let T'(x,S,T),0(y,S,T),F(w,S,T) be formulas over ou{S,T), 
such that arity(S) = |x|, arity(T) = |y| and |w|=2|y|-i-2 . The formula 

tp(x) := IFP^_^[S,T](T',0, F) (1) 

defines on each input structure A over a a relation which is the limit S^, of a 
sequence of relations computed as follows: 



So=To = 0, 

For i > 0, 

Tj^.^ = choice(Aj,Oj,Fj) , Sj+j = Sj u T'j , 

where Aj is the structure A expanded with Sj and Tj , Oj = 0[Aj], T'j = T'[Aj] 
and Fj =F[Aj]. 0 

The following proposition states that the non-determinism implied by IFP.^^ is 
sound, i.e. all of its different computations are isomorphic. 

Proposition 1. [GH] Let {Aq,A 2 ,...} and |Aq',Aj',.- } be any two sequences of 
structures, defined by Definition 5, corresponding to two different computations of 
IFP.^ j[S,T]('P,<I>,F) on an input structure A, then for all i> 0, Aj is isomorphic to Aj'. 
A boolean choice formula is a formula of the form: 



Qlxi..QjnXm9(xi,..,Xm)> 



( 2 ) 
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where Qj is a quantifier V or 3 and tp is a choice formula of the form (1) in 
Definition 5. The following corollary is a direct consequence of Proposition 1. 

Corollary 1. Any boolean choice formula is deterministic, that is, it has always an 
unique truth value on every structure. 

Any logic L can be extended with choice boolean formulas of the form (2) 
which, by Corollary 1, assure the determinism of the extended logic. We denote by 
choice-lFP this extension of IFP, i.e. the logic obtained by adding the construction 
of formula of the form (2) in the rules of formula construction of IFP. 

Theorem 3. [GH] There is a PTIME-property of structures that is expressible by 
choice-IFP but not by IFP+Count. 



Closure under Interpretation 

The semantics of a symmetry choice construct in a formula depends on the 
automorphism of the structure on which the formula is evaluated (and its 
expansions). This semantics limits, however, the expressivity of the choice-IFP 
logic. For example, IFP-tCount is not contained in choice-IFP. In fact, one can 
notice that on rigid structures choice-IFP collapses to IFP and there are classes of 
rigid graphs on which IFP collapses to quantifier free formulas, but IFP-tCount can 
define a linear order and hence capture PTIME. 

It is interesting therefore to define a logic in which the choice operator may refer 
to the automorphisms of an interpreted structure. Such a logic can be obtained by 
closing choice-IEP with interpretation. This closure, defined in Definition 3 of 
Section 2, is denoted by choice-IFP + 1. In fact, in a choice-IFP-tl formula of the 
form l((pj,..,(pjj;0), where 0 is a choice-IFP formula, the choice operator in 0 does 
not refer to the automorphisms of the input structure A but to that of the interpreted 
structure 7t(A) on which 0 is evaluated. Unlike choice-IFP, the closured logic 
choice-IFP-tl does not collapse to IFP on rigid structures. Moreover, it is shown that 
the closure under interpretation of choice-IFP is strictly more expressive than 
FP-tCount. 

Theorem 4. [GH] FP-tCount cz choice-IFP h- I c PTIME 

Remark. One may think to use, as an alternative to the closure under interpretation, 
choice formulas with explicit relations defining the structure on which the 
automorphism is considered. E.g., use a formula of the form IFP.^ j(X;^,<I), F) and 
require that the choice operator refers to the automorphism of the structure with the 
relations defined by X(A). However, the semantics of this choice formula is not 
deterministic. This is because, while the condition of symmetry is defined w.r.t the 
structure X(A), the computation of the formulas ^,0, F is always defined w.r.t the 
input structure A. On the contrary, with closure under interpretation, the 
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computation and the automorphism refer to the same structure (the interpreted 
structure), one can assure the determinism of the semantics. 



4 Main result 

In this section, we show our main results concerning the relationship in 
expressive power between fixpoint logics extended with generalized quantifiers and 
the choice fixpoint logic defined in the previous section. 

Theorem 5. For each natural number n, let Qj^ be the set of all n-ary generalized 

quantifiers, then there is a PTIME-computable property of finite structures that is 
expressible in the logic choice-IFP , but not in FP(Qjj). 

The following corollary is an immediate consequence of the above theorem. 

Corollary 2. There is no finite set Q of generalized quantifiers such that FP(Q ) is 
more expressive than choice-IFP. 

To show Theorem 5, we will use the class of structures defined by Hella to prove 
Theorem 2. We first present a brief description of this class of structures , the details 
can be found in [Hel] . 

4.1 Construction [Hel]: 

Let G = (V,E) be a connected (undirected) graph such that the degree of each 
vertex of G is n-tl. One constructs a structure G^ from G by replacing each vertex u 

of G by a structure C(u) defined as follows: 

Let C = {cQ,...Cjj}u {dQ,...djj} where cq,...Cj^ ,dg,...djj are all distinct, and let ~ be 
the following equivalence relation of C: 

x~ y iff there is i such that x ,y e {cj ,dj] 

So each pair {cj ,dj), 0 < i <n , is an equivalence class. 

We define two (n-nl)-ary relations R+ and R“ of C as follows: 

- R"*" contains the tuple (ag,..,ajj) iff for all i j , aj and aj are not — equivalent 
and there is an even number of dj 's among the aj's , 

- R“ contains the tuple (aQ,..,ajj) iff for all i j , aj and aj are not — equivalent 
and there is an odd number of dj 's among the aj's , 

We denote C“''and C“ the structures (C.R"*") and (C,R“), respectively. Clearly, if f is 
an automorphism of C"*" or C“ or an isomorphism between these two structures, then 
it must preserve the equivalence relation ~: 



a~b <^f(a)~f(b) 
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The following lemma describes such automorphisms and isomorphisms: 

Lemma 1. [Hel] Let f: C ^ C be a bijection that preserves the relation ~ . 
Then: 

- f is an automorphism of C"*" and C“ iff the number | {i<n | 3 j <n (f(cj^=dj)} | 
of the c,d-exchanges of f is even; 

- f is an isomorphism between C"*" and C“ iff this number is odd. 

Now, for each subset S of V we define a structure G3 as follows: 

- each vertex u of G is associated to a copy of C"*" or C“, denoted by C(u), 
depending on whether u is in S or not; 

- each edge (u,v) of G is replaced by two edges linking , for some specific i,j, the 
component Cj (resp. dj ) of C(u) to the component cj (resp. dj ) of C(v). 

More precisely, let h be a function enumerating, for each vertex u of G, the edges 
adjacent to u, i.e. h(u,v)= i if (u,v) is the i-th edge adjacent to u. G3 is a structure 
whose signature contains the relation symbols R, of arity n+ 1 , and E of arity 2 such 
that: 

- the universe of G3 is Vx C , 

- the relation R of G3 is the set of n+l-tuples ((u,aQ),..,(u,ajj)) of (Vx 

such that if ue S then (aQ,..,ajj)e R“ , else (aQ,..,ajj)e R"*" 

- the relation E of G5 is the set of pairs ((u,Cj),(v,Cj)) and ((u,dj),(v,dj)) of 

(Vx C)^ such that (u,v) is an edge of G and i=h(u,v) and j=h(v,u). 

The main property of the structures G5 's is stated in the following lemma [Hel]: 

Lemma 2 . Let S,T be any two subsets of V. The structures G5 and Gj are 
isomorphic iff S and T have the same parity. 

Remark that, by the above construction, if S and T have the same parity then the 
numbers of copies of C"*" in G5 and in G-p also have the same parity. 

For each vertex v of V and 0 < j <n, we will call l(v,Cj ),(v,dj )} a pair and we 
will denote it by p(v,i). We say that a pair p(v,j) is connected to a pair p(u,i) if their 
c,d- components are related by the relation E, that is, if we have E((u,cj),(v,Cj)) and 
E((u,dj),(v,dj)). Note that for each pair there is exactly one pair connected to it. 

In what follows we suppose that there is a linear order < on the vertices of the 
initial graph G. This implies an order <p on the set of pairs as follows: 

p(v,i) <p p(w,j) iff v<w or (v=w and i<j ) 

Let u be any vertex of G. We define the two following structures: 

^G = (G0 ,<) , 

Bg = (G{u},<) 
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By Lemma 2, it follows that the structures Aq and Bq are not isomorphic. 
Furthermore, we can distinguish between them (in polynomial time) by counting the 
number of copies of C"*" they contain. 

Let us consider the class of structures of the type Aq or Bq for each graph G. 
The problem whether a structure of this class is of the type Aq (or Bq) is decidable 
in polynomial time. However, it is shown in [Hel] , using the technique of k-pebbles 
game adapted to logics with generalized quantifiers, that for each k>n there is a 
graph G such that Aq and Bq are equivalent on all formulas of L^u)(Qn). 

4.2 Proof of theorem 5 

To prove that there is a PTIME computable property of finite structures that is 
expressible in choice-IFP but not in FP(Qj^), it suffice to show that the property of 

structures defined above is expressible by a formula of choice-IFP. 

Let G be the connected graph used in the construction of the above structures 
Aq and Bq . Let Dq be a structure of the type Aq or Bq . The main idea of the 

proof is to use the symmetry-based choice mechanism of choice-IFP to generate an 
order on Dq and then use the order to express all PTIME properties. This will be 
done by using particular symmetries of the structure Dq. So we first focus on such 
automorphisms of this structure. 

* Automorphisms ofDQ 

Consider a set of structures C(vq),...,C(Vj.) of Dq , such that vq,..,Vj. form a cycle 
on the graph G, that is , (Vjjj.Vjj^^j) , for 0< m <r, and (Vj.,vq) are edges of G. Let 

f:VxC^ VxC be the bijection that exchanges the components c and d corresponding 
to the edges that link the structures C(Vjjj),C(Vjjj^.]^), for 0< m <r, and C(vq),C(Vj.) , 
that is: 

- f(Vjn,cj) = (Vm.dj) and f(Vj„,di) = (Vj^.c^) 

for : ( 0<m<r and 1 = h(Vjj^,Vj„+j) or 1 = h(Vjjj,Vj„Q) ) 
or (m = r and 1 = h(Vj-,VQ) or 1 = h(Vj-.]^,Vj.) ) 
or (m = 0 and 1 = h(vQ,Vj.) or 1 = h(vQ ,vj^) ) 

- The other elements of V xC are invariant for f. 

For each vertex w of the above cycle, let f,^: C^C be the "restriction" of f to w, that 
is: f.,^(a)=b iff f(w,a) = (w,b). It can be seen that the number of c,d-exchanges of f^ 
is two. It follows from Lemma 1 that, for each vertex w of the above cycle, f^ is an 

automorphism of C"*" or C“ . Moreover, f preserves the relation E and the order <p 
of Dq , f is therefore an automorphism of Dq . 
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* Generation of an order on Dq by choice-IFP 

As there is an order <p between the pairs of Dq, the main problem is to order the 
c,d-components of each such pair. We generate such an order by iterating the 
following three steps: 

(During this computation, we say that a pair p is ordered if its c,d-components are 
ordered. ) 

Step 1: Compute an unordered pair p(v,j) and an automorphism f of the structure 

that exchanges the components (v,cj ),(v,dj ) of this pair. 

Step 2: Choose one of the components of p(v,j) (say (v,cj )) 

Step 3: Order the c,d-components of this pair p(v,j) by (v,cj ) < (v,dj ) and 

propagate the ordering as follows: 

For each unordered p(u,i): 

a- If the pair p(w,l) connected to it is ordered, then order p(u,i) as follows: 

If (w,cj)<(w,dj) and E((u,Cj),(w,cj)) and E((u,dj),(w,dj)) then (u,Cj)<(u,dj); 
Otherwise, 

b- If the n other pairs in the structure C(u) are ordered, then order p(u,i) in the 
way shown in Lemma 3 below. 

We give below a detailed description of the above three steps. 

Description of Step 2 

The choice operation in Step 2 is a symmetry-based choice: it uses the choice set and 
the automorphism, computed by the formulas O and F given in Step 1 (see below 
the description of step 1). 

Description of Step 3 

Steps 3 iterates the two steps 3-a and 3-b each of which is FO-definable. In fact, the 
ordering in Step 3-a is clearly FO-definable, and as shown in Lemma 3 below the 
ordering in Step 3-b is FO-definable too. 

Lemma 3. If in a structure C(v) there are n pairs ordered then the c,d-components of 
the (nH-l)-th pair are distinguishable and can be ordered by a FO-formula. 

Proof. Suppose that the pairs p(v,0),...,p(v,n-l) of C(v) are ordered. This implies a 
linear order on the set X of all n-tuples of the form ((v,aQ),...,(v,aj^.j)), where aj 

G C \ {Cj^,dj^}. Let ((v,xq),...,(v,Xj^_]^)) be the first tuple of X such that, for some Xj^ 
G {Cjj,djj}, ((v,xq),...,(v,Xj^.j),(v,Xjj)) is in the relation R of C(v). Note that, by the 
definition of R, the value of Xj^ is unique. So, we can order the c,d-components of 
the (n-tl)-th pair as follows: (v,Cj^)<(v,djj) if Xj^=Cj^ and (v,dj^) < (v,Cj^) if Xj^=dj^. 
Clearly such an ordering is FO-definable. 0 
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So we have the following lemma: 

Lemma 4. There is a fixpoint formula T' defining the ordering in Step 3. 

Description of Step 1 

This step will compute a pair p(v,j) participating in a cycle of Dq such that the 

pairs connecting the structures C(u)'s of this cycle are all unordered. As observed 
above, there is an automorphism of Dq that exchanges the c,d- components of 
p(v,j). This cycle is computed as follows: 

Let pj be the first pair (w.r.t the order <p) that is unordered ( until the pairs in 
Dq are not all ordered, there is always such a pair). We construct now a directed 
path containing only unordered pairs of Dq by the following rules: 

+ P]^ is the first pair of the path; 

+ if a pair pjj^ of a structure C(u) is in the path and has not yet a successor then: 
a- if the pair connected to pjj^ is not yet in the path, then it is added to 
the path as successor of ; 
otherwise 

b- if there are no other pairs of C(u) that are in the path, then the first 
(according to <p) unordered pair of C(u) that is not in the path is added to 
the path as the successor of pj^. 

(thus if a) and b) are not satisfied then pjj^ is the last pair of the path). 

It is clear that at each iteration of the above rules only one new pair is added to the 
path. The construction of the path needs at most n iterations of the above rules, 
where n is the number of pairs in Dq. Furthermore, as the ordering in Step 3-a 
assures that if a pair is unordered then so is the pair connected to it , one can see that 
the so constructed path contains only unordered pairs. On the other hand, following 
the ordering in Step 3-b, if a structure C(u) contains an unordered pair, it must 
contain at least two such pairs. This implies that if the condition of the above rule b) 
is satisfied, then pjj^ has a successor and is not the last pair of the path. So a pair pjj^ 
of the path is the last pair if the conditions of the rules a) and b) are not satisfied. It is 
easily seen that this occurs when the path returns to a structure C(u) through which it 
has already gone. Let pjj^ be the last pair and pj. be the pair of the path that belongs 

to the same structure C(u) as Pj^. One can verify that the structures C(u) of Dq that 
contain the pairs of the path from pj. to pjj^ form the cycle that we require. Now the 
pair computed by Step 1 is the first pair (according to the order <p) of the cycle. The 
automorphism computed by Step 1 is the mapping that exchanges the c,d- 
components of each pair participating in the connection of the cycle. 

Following the description of the computation of this step, one can see that this 
pair and the automorphism are definable by a fixpoint formula. So we have the 
following lemma: 
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Lemma 5. There are fixpoint formulas O and F that define respectively the pair and 
the automorphisms computed in Step 1 . 

Finally, the ordering on Dq obtained by iterating the three steps 1,2 and 3 is defined 
by the formula 

0 : = 1FP^ ^[<,T](T',0, F) 

where T',® and F are the formulas of Lemmas 4 and 5, respectively. 

It is clear that the computation that iterates the above three steps terminates when all 
of the pairs of the structure are ordered. So, at the end of the choice fixpoint 
computation of the above formula we have a linear order on the structure Dq . 

We have shown that there is a formula of choice-IFP defining an order < on the 
structure Dq . Using the fact that the property separating the structure Aq and Bq is 

in PTIME, one knows that there is a fixpoint formula |d(<) , referring to this order, 
that defines this PTIME property. Therefore, the computation of this property 
involves at first the computation of the order by the above formula 0 and then the 
computation of the formula |J,. The whole computation can also be defined in choice- 
lEP. In fact, one has just to include a control mechanism that makes the computation 
to switch to that of |J, when the computation of < terminates. For example, we can 
replace T' by the following formula T'*: 

T'*(Zj,Z 2 ) = ( Z2=0 A T'(Zj) A^End-order ) v ( Zi=l a End-orderA |i(Z 2 )) , 

where End-order = Vx,y (T'(x,y) x<y ) is a predicate which is true only when no 
new order is generated by T'. 

The choice-IEP formula that computes the property then has the following form: 

0* : = IEP^^^('P*,0, E) 0 

Remark. 1- The order computed in the above proof is the result of an iteration in 
which at each step one realizes first the choice computation (defined with the 
formulas O and E) and then based on the result of this choice one computes the 
corresponding order (supposed to be defined by the formula T'). This computation 
does not correspond exactly to the scheme of computation of a choice-IEP formula 
in Definition 5 in which the choice step and the inductive step are realized 
simultaneously at each iteration. However, one can solve this mismatch by including 
in the above formulas T' and O a control mechanism that helps to alternate the 
triggers of the order computation and the choice computation. 

2- The proof makes an essential use of the assumed linear order on the graph G. 
Without it (and the pre-order it generates on Aq and Bq) the proof would not go 

through. On the other hand, the order is not needed for proving the result in [Hel]. 
This raises an interesting question whether Aq and Bq without the order could be 
separated by choice-IEP. 
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5 Lindstrom characterization of the choice construct 

The previous section shows that the whole choice fixpoint logic cannot be 
captured by a finite number of quantifiers. In this section, we show on the contrary 
that, for each integer k, the restriction of choice fixpoint logic to formulas containing 
at most k variables can be captured by an extension of fixpoint logic with finitely 
many quantifiers (Theorem 7). This result allows to characterize the whole choice 
fixpoint logic by an extension of fixpoint logic with a countable set of generalized 
quantifiers (Theorem 8). 

To be more precise , the fixpoint part of this characterization is the following 
FP*. With any finite structure A over o associate the two-sorted structure A* 
extending the domain of A with the set N^= { 1,...., |A|). That is. A* is a structure 

over o u{<) such that dom(A*)=A u N^, A*(o) coincides with A and A*(<) is the 
natural ordering on N^. 

Definition 6. FP* is just full fixpoint logic for the two-sorted variants A* of 
structures A. We allow first-order quantification on both sorts, and fixpoint 
construction over mixed-sorted predicate variables. FP*(Q) is the extension of FP* 
with a set Q of quantifiers. 0 

The notion of k-equivalence of tuples plays an important role in our 
characterization. Recall that two k-tuples of a structure are k-equivalent if they 
satisfy exactly the same FO-formulas with k variables. It is known that the k- 
equivalence relation is FP-definable, and there is an FP-formula that defines an order 
on the k-equivalence classes of a structure. Moreover, a fixpoint computation on a 
structure A can be reduced to a fixpoint computation on the k-equivalence classes of 
A. This is the meaning of the following normal form theorem of fixpoint logic: 

Theorem 6. [AV2] For each FP-formula with k variables tp over a signature Q, there 

is a formula tp over a signature Q., called the k-quotient of £2, such that for any 

structure A over Q, one can associate a structure A over Q, called the k-quotient of 
A, whose domain is the set of k-equivalence classes of A, and satisfying the 
following property: 

For any k-tuple a of A, A|= tp(a) iff A |= ip ([a]) , where [a] is the k-equivalence 
class of a. 0 

In the case of fixpoint with choice, the computation cannot be reduced to the one 
on some fixed k-equivalence classes of the input structure, since the choice operator 
splits these classes. However, one can consider the computation between two 
consecutive choices as a computation on the k-equivalence classes of the 
intermediate structure. Roughly speaking, we will define for each k a generalized 
quantifier that simulates this form of computation of choice fixpoint formulas with k 
variables. 

The second sort in FP* is used essentially to define the k-quotient of the 
intermediate structures. In fact, as there is an order on the k-equivalence classes of a 
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Structure A, we can represent each k-equivalence class by its rank with respect to 
this order. As the number of k-equivalence classes is bounded by |A|^^, we will 
therefore represent the k-equivalence class by the k-tuple of N^of rank m. For 
the sake of simplicity, in what follows we will denote a k-tuple of of rank m by 
the integer m. Moreover, we will suppose that for each formula 9 of k variables, its 
normal form ip according to Theorem 6 is a formula whose variables take as values 
the integers m, i.e. the k-tuples of N^. 

The Lindstrom characterization uses a generalized quantifier whose definition is 
based on the operators defined below. 

Let choice-lFP^ be the set of choice-lFP formulas containing at most k variables 
and IFP.^^[S,T]('P,<I), F) be a formula of choice-IFP^. We first consider the 
computation of this formula at each step in terms of the k-equivalence classes of the 
intermediate structures Aj . At each step i, we associate, for example, to the relation 
Sj computed by 'P a k-ary relation Sj* on the second sort computed by the formula 
T', the normal form of T', 

Sj*(m) iff there is some tuple a such that T'(a) holds and [a] is the 
m*^^ k-equivalence class of the structure Aj. 

Alternatively, following the normal form theorem 6 , we obtain: 

Sj* = {m I Aj 1= T'([a]) where [a] is the element of rank m in Aj } 

To describe the computation from step 0 to step i, we define the following 2k-ary 
relation on the second sort: 

RV ={(j,m) I 0< j< i and Sj*(m)} 

We define the similar relations R^(j> and R^p for the formulas O and F, respectively. 

Remark: If a formula has less than k free variables, one can add to it dummy free 
variables to obtain an equivalent formula having exactly k free variables. So, when 
defining the above relations, we assume that each of the formulas T',®, F has 
exactly k free variables. We will consider any m-tuple (aj,..,Uj^), with m < k, as a k- 

tuple in which the last element aj^ is repeated (k-m) times. This k-tuple will be 
denoted by (aj,..,ajj^ )'|'p . 

The following operator Pp defines a computation similar to that of the choice 
fixpoint operator, using three relations playing the role of the above R^vp ,R^<j> 
and Rip : 

Definition 7. Let A be a structure over o and A* be the two-sorted variants A. For 
each k, let Rj, R 2 , R 3 be three 2k-ary relations on the second sort of A*, and S,T be 

two relation symbols not in o, having arity respectively k and m, where 
m = I (k-2) /2 |. The operator: 



Pko(A*,Ri ,R2,R3) 
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defines a structure which is the limit of a sequence of structures Jj = (A,Sj,Tj) 
computed as follows: 



So=Tq = 0, 

For i> 0 , = choice(Jj,Oj,Fj), Sj+j = Sj , 

where Op {(a]^,..,ajjj ) | [(a]^,..,ajjj )'[-]^] is the n-th k-equivalence class of Jj 
and R2(i,n) } , 

Fj = {a I [a] is the n-th k-equivalence class of Jj and R3(i,n)}, 

^j= {a I [a] is the m-th k-equivalence class of Jj and Rj(i,m) } 0 

The next lemma follows immediately from the definitions of the relations R^vp ,R^<j> 
and Rip and from Definition 7 . 

Lemma 6. Let Aj be the structure defined at step i in the computation of a formula 
IFPc s f[S,T]('F, 0 , F) of choice-IFPp on a structure A, then 

Ai=Pko(A*>RV -R'o^R'f)- 

Suppose that in the Definition 7 , we have J^, = Jjj^ , so the limit structure is Jjj^ . We 
associate to Pj,0 an operators Pj,^ defined as follows: 

Pko Rl ’R2 ’R3) “ ^m 

where Jjj^ is the k-quotient structure of Jjj^ . 

Remark. By definition, the operator Pj,0 is non-deterministic: it may associate to 
each input structure A different output structures. However, these output structures 
are isomorphic and therefore have the same canonical k-quotient structure (whose 
domain is the second sort). The operators Pjj0 aims precisely to define this canonical 
structure. They are deterministic and one can therefore define generalized quantifiers 
to simulate them. 

Let Q]j0 be the sets of quantifiers associated to the operators Pj,0 (see Fact 1 of 
Section 2 ) and Q^, be the union of all Qj,0 for k e co and all o. Let choice-IFP^(o) 
be the set of formulas of choice-IFP^ over a vocabulary o . 

Theorem 7 . If a property of structures is definable by choice-IFP^(o) then it is 
definable by FP*(Qj,0). 

Proof: We show that each formula IFP.^ ^[S,T]('P,<I>, F), where F are fixpoint 
formulas of k variables over ou{S,T}, can be simulated by a formula F of 
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FP*(Qko)- This formula T describes the computation of the choice formula on a 
structure A as follows: 

Let A = Aq be the input structure. For each i>0, let Aj be the structure defined by 
lFF^j[S,T] F) at the step i. Let F be the normal forms of ^,0, F, 

respectively. For each step i, F defines the following structures and relations: 
Mp Rf j, R 2 i, R 31 . 

For i=0, Mq is the k-quotient structure of the input A, which is defined by a usual 
fixpoint formula. Rj q ,R 2 q ,R 3 q are equal to 0 . 

For i > 0, F defines from Mj as follows: 

F first defines Rj^ j ,R 2 j ,R 3 j by: 

Rl,i :=Rl,i-l’^{(i-m)|me.^(Mi) } 

%,i •= 1^2, i-1 ^ {(i,m) | m e F( Mj) ) 

%,i •= %,i-l Khm) I m e 0( Mj) } 

Using the operator Pj,^ (or, equivalently, the quantifiers of Qj,^ ), F defines then 
Mi^l := Pj ,0 (A*, R]^ j >1^2, i ’^^3,i^ 

It is easily seen that for each i, Rj^ j ,R 2 j ,R 3 j coincide with R^vp, R^<j>, R^p, 
respectively. 

So, by Lemma 6 , for each i, the structures Mj defined by formula F are respectively 
the k-quotient of the structures Aj defined by the formula IFP.^^[S,T]('P,<I), F) at 
step i. This implies that, for the boolean case, the two formulas give the same truth 
value. Moreover, it is easy to verify that the formula F that describes the 
computation in question is in FP*(Qjj 0 ). 0 

The converse of the above theorem is probably not true. In fact, although the 
definition of the quantifiers of Q^, is based on the operators Pj,^ ( Definition 7) 
whose computation is similar to that of a choice fixpoint formula, there are two 
reasons for which FP*(Qqj) is more powerful than choice-IFP. Firstly, the second 
sort is not available in choice-IFP. Secondly, the choice process in choice-IFP is 
applied only to the input structure, while in FP*(Qqj) it can be applied to any 
definably interpreted structure. However, a complete characterization can be 
obtained for the full logics, i.e., the closure of choice-IFP and FP*(Q^j) under 
interpretation. 

Theorem 8 . A property of structures is definable by choice-IFP H- 1 if and only if it 
is definable by FP*(Q^, ) H- 1 . 
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Proof: The "only if" part is immediate from the above theorem. 

To show the "if part we will show that using the reduction we can simulate by a 
choice formula the second sort and the quantifiers of FP*(Q^q). 

The simulation of the second sort is as follows: 

Let T be a formula of FP*(Qqj), and let k be an integer such that var(F) < k where 
var(F) is the number of variables in F, and for any quantifiers of Qjj^ , Q'jj^ occurs in 
F, m < k . For any input structure A over {R]^,...,Rjj)we can define a structure 

A' = Au R, where R is a unary relation whose elements are k-tuples of by the 
following reduction: 

A' =7t(A) 

with 7 t = <tp]j , Rj,...,Rjj> , where tpj, is a formula defining the set of k-tuples of a 
structure. 

Using choice construct on the structure A', one can define a total order on the 
elements of R. This ordered set can be used to simulate the second sort of A*. 

For the simulation of the quantifiers of Q'nio it follows from the fact 

that an operator of the form Pjj ^0 (A, Rj^ ,R 2 ,R 3 ) can be defined by a choice 
formula of the form IFP.^^[S,T]('P,<I>, F). In fact, one can construct, for example, a 
formula T' that, for a given structure B, a relation Rj^ and an integer i, computes the 

m-equivalence classes of B , and then outputs the m-tuples a such that the rank of a 
is n and Rj(i,n). 0 



6 Conclusion 

This paper is a further step in the study of the expressive power of the choice 
fixpoint logic proposed in [GH]. Our results show that this logic has a promising 
expressive power. In fact, it cannot be captured by a finite number of generalized 
quantifiers although this can be done locally. The question whether this logic 
captures PTIME is however still open. We think that some notion like logical 
reductions and its relationships with generalized quantifiers plays an important role 
in this question and have to be studied further in the context of logics with choice 
construct. 
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Abstract. In our paper, we prove that Graph Connectivity is not in 
Monadic NP even in the presence of a built-in relation of arbitrary de- 
gree that does not have for an arbitrary, but fixed fc > 2 £ IN the com- 
plete graph Kk as a minor. We obtain our result by using the method 
of indiscernibles and giving a winning strategy for the duplicator in the 
Ajtai-Fagin Ehrenfeucht-Fraisse Game. 

The result is afterwards strengthened to arbitrary forbidden minors and 
to minor-closed classes of binary relations. 

Keywords: Monadic Second-Order Logic, Descriptive Complexity The- 
ory, Ehrenfeucht-Fraisse Games, Finite Model Theory. 



1 Introduction 

The interconnection between the logical definability of a property on finite struc- 
tures and the computational complexity of a best algorithm known for deciding 
that property brings new questions about the expressive power of logics which 
are motivated by open questions from Complexity Theory. Especially, there is 
a kind of parallelism between Logic and Complexity: One can observe from the 
work of Fagin [6] and Immerman [11] that stronger logics allow to formulate 
problems known to be algorithmically more difficult. Thus, an investigation of 
those open questions in Logic is an investigation of Complexity Theory, too. 

In his seminal paper [6], Fagin showed that NP coincides with Existential 
Second-Order Logic (3SOL) on finite structures. Unfortunately, the 3SOL is 
relatively hard to handle. One reason for this is that quantification over arbi- 
trary relations allows to encode functions into relations and relations into other 
relations. 

When we restrict ourselves to existential quantification over unary relations 
(which can be looked at as existentially quantifying over sets), i.e. consider Exis- 
tential Monadic Second-Order Logic (3MSOL), the above described effect cannot 
appear any more. In terms of Complexity Theory, the set of all problems defin- 
able in 3MSOL establishes a subclass Monadic NP (Moni/^) of NP. 

A nearby question is, whether Moni/| can be ordered into the complexity class 
hierarchy: On the one hand, the intersection of NPC (i.e. the set of all NP- 
complete problems) and Moni/^ is nonempty, since Graph 3-Colorability is in 
Moni/^ and known to be NP-complete; on the other hand, Graph Connectivity 
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is obviously in P, but not in Monii'^, as Fagin showed [7]. Thus, MonZ’^ is not 
a superset of P. Conversely, Graph Connectivity is known to be in Monadic 
co-NP, i.e. definable by a universal MSOL formula. Hence, it is an interesting 
question, how much expressive power must be added to 3MSOL such that Graph 
Connectivity can be defined. 

One possible such enhancement of 3MSOL is adding built-in relations, i.e. 
relations whose interpretations are a-priori fixed. 

Fagin, Stockmeyer and Vardi [9] asked whether negative definability results can 
be proven for Graph Connectivity and MonFi^ enhanced by built-in relations of 
large degree. Several negative definability results for Graph Connectivity and en- 
hancements of 3MSOL by built-in relations have been proven up to now (e.g. lin- 
ear order, degree G [9,12,18]; in our paper, we give a further negative result 

for a large class of built-in relations: The class of all binary relations that, when 
taken as graphs, do not have for an arbitrary, but fixed fc G IN the complete 
graph Kk as a minor, i.e. don’t have an induced subgraph that can be con- 
tracted and from which edges can be omitted in such a way that the obtained 
graph is isomorphic to the Kk- 

From Wagner’s characterization of planar graphs as those with no minor 
isomorphic to the complete graph or the bipartite graph K 3 3 to the famous 
proof of Wagner’s Conjecture by Robertson and Seymour [15,16,17], saying that 
an arbitrary set M of graphs must be finite if it has the property that no graph 
of M is isomorphic to a minor of another graph in M, graph minors proved 
to be a useful tool in many areas of graph theory covering topological as well 
as algorithmic aspects (see [17]). The main point in all these applications is 
the characterization of the structure of graphs which do not have an arbitrarily 
given but fixed graph as minor. Graphs with no minor isomorphic to the play 
an essential role there. Our main result shows that for these graphs as built-in 
relations the problem whether Graph Gonnectivity is in Monii’^ can be settled as 
well, i.e. that Graph Connectivity is not in Monii'^ even in the presence of such a 
built-in relation. Our proof works in two steps: First, we show a separation result 
for the built-in relation, afterwards, we give a winning strategy for the duplicator 
in the Ajtai-Fagin-Ehrenfeucht-Fraisse Game based on that separation result. 

We strenghten our result to arbitrary (but finite) forbidden minors and to 
arbitrary built-in relations which belong to a minor-closed class of irreflexive 
symmetric binary relations that is not equal to the class of all irreflexive sym- 
metric binary relations. Finally, we show that for built-in relations of bounded 
tree- width a similar result can be proved. 

Acknowledgement. We are grateful to an unknown referee for many help- 
ful constructive suggestions. 

2 Definitions 

In our paper, we use standard terminology that can be looked up in textbooks in 
Logic, Complexity Theory and Graph Theory e.g. [4,5,13]. Below, we introduce 
some additional notation: 
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Graphs are represented as structures with one irreflexive binary relation E. In 
the standard way, we look at a graph G as a pair G = (V (G), E{G)), where V (G) 
is the set of vertices and E{G) stands for the set of edges. We do not distinguish 
between a binary relation and a graph. We say that the vertices x,y € V{G) of 

a graph G = (V{G), E{G)) are adjacent, briefly Adj{x,y), if {x,y) G E{G). If 

G 

X C I^(G), we call G^X the induced subgraph of G by X. The d- neighbourhood 

of a vertex vinV (G) is N^{v) := G],{y G V (G) : dist{v, y) < d} with d > 0 and 
G G 

dist{v, y) denoting the distance oi v,y G V (G) in G. We sometimes use a vertex 
G 

set as the second argument: dist{v,B) := mm{dist{v,b)\ b G B}. We denote by 

G — V the structure Gi{V (G)\{u}), analogously G — i? for a set i? C 1^ (G). The 
degree deg{v) of a vertex v is the number of vertices that are adjacent to v. 

In the following, we assume that the vertex set V (G) of any graph G are the 
first n natural numbers, i.e. if |I^(G)| = n, then I^(G) = {I,2,...,u} = [n] 
for simplicity. Since I^(G) is a set of natural numbers, we can always use the 
canonical order for W also for vertices. Sequences are referred to by angles (). 

A sequence B = {Bi, B 2 , ■ ■ ■) is a built-in relation if for any u G IN the 
domain of is [n] x [n] . We note that B itself is not a relation. In this paper, 
we only consider symmetric irreflexive relations as built-in relations. If P is a 
set of graphs, then a formula ip expresses P in the presence of a built-in relation 
B, if for every graph G it holds that (G,P|y(G)|) |= iff G G P. The set P is 
denoted as a property. 

Monif^ is the sublogic of 3SOL where second-order variables are restricted 
to unary predicates. A MonA'^ -formula is of the type 3Xi, . . . , 3Xjip, where ip 
is a First-Order (FO) formula with free unary variables Xi, . . Xj. 

A property P on graphs is said to be in MonAj , if there is a formula varphi G 
MonA^ such that for any G it holds G \= ip O G G P. 

The Ajtai-Fagin-(c, r)-Ehrenfeucht-Fraisse Game [1] for a property P and 
MonAj is played by two players, the spoiler and the duplicator, as follows: 

1. The duplicator chooses a graph Go G P. 

2. The spoiler colors Go with the c colors Gi, . . . , Cc- 

3. The duplicator chooses a graph Gi ^ P. 

4. The duplicator colors Gi with the c colors Gi, . . . , Cc- 

5. The spoiler and the duplicator play an r-round Ehrenfeucht-Frai'sse Game on 
the two structures (Go, Gi, . . . , Cc) and (Gi, Gi . . . , Cc). 

The duplicator wins, if the two substructures induced by the pebbled vertices 
wrt. their pebbling order are isomorphic. Otherwise, the spoiler wins. A player 
has a winning strategy, if he can play in such a way that he will win, whatever 
the other player will do. Go and Gi are FO r-eguivalent (briefly: Go~rGi) iff 
the duplicator has a winning strategy in the r-round Ehrenfeucht-Frai’sse Game 
on Go and C\. A property P is not in MonAj iff for any c, r G IN the duplicator 
has a winning strategy in the Ajtai-Fagin-(c, r)-game for P. 
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3 The main result 

Definition 1. Let G be a graph. A graph H is called a minor of G, briefly 
H ^ G, if there is a subgraph of G that is either isomorphic to H or can be 
transformed into a graph that is isomorphic to H by successively eliminating 
edges and/or contracting edges and identifying the two incident vertices involved. 

Table 1 gives a brief overview of several classes of graphs with at least one 
forbidden minor of those classes. 



class of graphs 


forbidden minor 


trees / forests 


K3 


planar graphs 


K5 and 


graphs of tree-width at most k 


Kk+2 


partial fc-trees 


Kk+2 


chordal graphs with maximal clique size k 


Kk+1 


series-parallel graphs 


K4 


graphs with non-oriented genus < [ -| 


Kk+i 



Table 1. Classes of graphs with at least one forbidden minor. 



Now, we are ready for the main result of this paper: 

Theorem 1. For every k G 1N\{1} is Graph Connectivity not in MonE\, even 
in the presence of an irreflexive symmetric built-in relation that does not have 
the complete graph as a minor. 

Proof: The proof proceeds in two steps: First, we show a special separation 
result (Lemma 1) for graphs that do not have the as a minor. This allows us 
to look at the built-in relation as being composed of many local substructures, 
when at most k — 2 vertices are removed appropriately. Especially, this k does 
not depend upon the size of the built-in relation. In the second step of the proof, 
we give a winning strategy of the duplicator in the Ajtai-Fagin (c, r)-game for 
Graph Connectivity, MonAj and the built-in relation. This winning strategy 
relies on the separation result. 

Let A: G IN be arbitrary, but fixed, let B = {Bi, B 2 , . . .) be a sequence of 
graphs that do not have the complete graph Kk as a minor, where V{Bn) = [n\. 

Let for any u G IN be a vertex of Bn of maximal degree. Let r, c G IN 
(the number of rounds and the number of colors, respectively) be arbitrary, but 
fixed, let G = {G \ , . . . , G/j be the sequence of colors. 

If fc = 3, then B consists of forests, hence, our theorem follows from [12]. 
Schwentick showed [18] a negative definability result for Graph Connectivity, 
MonAl and built-in relations of degree Thus, we only have to consider 

the case that degfS) G 0{n)\n°^^\ hence, the case that fc = 2 is included there 
(since in this case all relations in B are empty). 
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We call the sequence B [k] j)- separable^ if for any Z G IN exists an n G IN, 
a set Mn C [n] of z;„-neighbours in with |M„| > I and a set SVn with 
Vn G SVn, l‘S'14,1 < k, Mn fl SVn = 0 and for arbitrary x\ ^ X 2 € Mn it holds 




Fig. 1. A sketch of a (2; j)-separable Graph Bn {j > 1) 



Figure 1 gives an intuitive sketch of (2; d)-separability, i.e. here we have that 
SVn = {vn, s}- The grey areas stand for the j-neighbourhoods of the respective 
t;„-neighbours in Bn — Vn — s. 

Proposition 1. If there exists a j G IN sueh that B is (fc — 1; j)-separable, but 
B is not (k — 2; j)- separable, then there is an n G IN with Kk -< Bn- 

Sketch of Proof: Let Bn be as above. We take for a large enough n G IN 
an appropriate k — 1-element subset of M„. Since \SVn\ = k — 1 and Bn is not 
(fc — 2, j)-separable, there is a subgraph of Bn whose edges can be contracted 
in such a way that the bipartite graph Kk-i^k-i remains {k — 1 vertices are in 
SVn, the other k — 1 vertices are those of M„). Our proposition follows from 
Kk -< Kk-i^k-i- 

Definition 2. A set In C is said to be {h,m) -indiscernible for Zi, m G IN if 
for all x\ < ■ ■ ■ < Xm, x'l < ■ ■ ■ < x'^ G In it holds 

Vn, X\, ■ • ■ , Xrn) '^h {Kn, Vn, X-^^, • ■ • , Xnf}- 

We have defined this variant of the notion of indiscernibles here just for our 
special application, i.e. we consider only a very special case of the more general 
concept of indiscernibles from Model Theory (see e.g. [20]). 

Theorem 2. (see also [20], Theorem 2.f) For all Zi, Z, m G IN and a fixed finite 
set of constants exists an n G IN, such that Mn contains an l-element subset In, 
which is (h,m)-indiscernible. 

Proof: The proof is an obvious consequence of the finite version of the well- 
known theorem of Ramsey and the fact that is of finite index, since the 
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degree of Vn and hence the cardinality of can be made large enough if n is 
chosen large enough. 

Now, we will prove that B is (& — 2; 2’’)-separable. This is accomplished by a 
breadth-first search in Bn for a sufficiently large u G IN as follows: We begin with 
the vertices in (i.e. that have distance d = 0 from M„) and look for a set 
In Q Mn that is (fc — 2; d)-separable. It will turn out that fc = 0 in this case. Then 
we will successively increase d and obtain in each step a subset C for 
which we will show that it is (fc — 2, d-|- l)-separable. This is done by considering 
the behaviour of the vertices having distance d -I- 1 from 

Lemma 1. Let B be the built-in relation as above. Then for any I > 3 * fc, 
any d > 0 and any h > 3 * k * d exists an n = n{d,l,h), a sequenee of sets 
{SV~^, ■ • ■ , SVn) and a set with 

1. C Mn and \I^\ > I 

2. For all 0 < j < d: C SV^ C ¥{^1^)) \ Tj, , SV~^ = {vn} 

tin 

and I SVn \ < k — 2. 

3. It holds for all xi < ■ ■ ■ < X 2 k, x'l < ■ ■ ■ < x^^. G 

(Bni{V{ {Ii))\isvt^) ,SVff-\x^,...,X 2 k) 

'~^h 

(BniiVi {li))liSVn^-^) ,SVf^-\x[,...,x'^A 

4- For all 0 < j < d: {iff) consists of exactly \lf \ disconnected compo- 

b„-Sv4 

nents, each of which contains exactly one vertex that belongs to if. 

Proof: First, we note the difference in the right upper index of above 
(items 3) and 4))j what is the main “trick” for proving the lemma. 

If for any / G IN there is an n G IN, an /-element subset Mf C and for any 
two vertices x,y G Mf it holds V{ (x)) fl V{ Af^ (y)) = 0, we are done: 

Bn—Vn Bn—Vn 

Set SVf := {vn} for —1 < j < d and apply Theorem 2 on the vertices in Mf, 
hence we obtain a set C Mf that trivially fulfills the above conditions 1.-4- 

Thus, we can assume that there is a universal bound in B for the number of 
such vertices in for each n G IN. We show the lemma by induction on d, i.e. 
we perform a kind of breadth-first search in the graphs of B: 

For d = 0, we obtain for any I > 3 * k and any h > 3 * k * d an 
n = n(0, /, h) and if by directly applying the standard version of Ramsey’s 
Theorem as follows: We obtain for all / > fc (otherwise take / := fc -I- 1) an 
/-element set if C with Bnflf = Ki, i.e. this induced substructure is edge- 
less. Hence, condition 1. is fulfilled. Setting SV~^ := {r’n} and SV^ '■= {r’n} 
fulfills obviously condition 2. Clearly, condition 3. holds for the “canonical” 
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<-relation in since both structures considered there are stars. As pointed out 
above, Bnil^ is edgeless, thus, condition 4- also holds. 

We now consider the case d + 1, i.e. for any Z G IN and any Zi G IN we have to 
find an n = n{d + 1, Z, Zi) G IN and sets that fulfill conditions 1.-4- 

Let I > 3 * k and h>S*k*d he arbitrary, but fixed. 

By induction hypothesis, for any Z G IN exist n = n{d,l,h), a set C [n] 
and a sequence {SV^^ , . . . , SV^j;) that fulfill conditions 1.-4- Let B' = (Bt) be 
the sequence of graphs where 



sv4l) 

Bn-SVi 

We apply Theorem 2 on B' with (instead of Mn) and the vertices in S'V^ 
are the additional constants. Note that |S'V^| < k — 2. From this, we obtain an 
ordered set C of (Zi, 2Zc)-indiscernible vertices, which fulfills condition 3. 
From Theorem 2 and the induction hypothesis follows that for Z there is an Z G IN 
such that if I I'd > f, then > Z. Thus, we can choose n(d + 1,Z, Zi) := n, 

hence, condition 1. holds. 

Let := i.e. the d+ 1-neighbourhood of in 

Bn-SV^ 

without the vertices in S'V^f and without those vertices that are only reachable 
from via vertices in SV,^. Since the latter are distinguished, the vertices 
in are also (Zi, 2Ze)-indiscernible in Now, we consider 

more closely: If is disconnected in such a way that no two vertices 

Xi^X2& are in the same connected component, we can set := S'V^f 

and are done: Condition 4- follows for j < d -|- 1 from the induction hypothesis, 
since C for j = d -|- 1, since is disconnected as pointed out 

above. Condition 2. also follows from its validity in the induction hypothesis and 
the fact that C Note that the validity of the other two conditions was 
already assured above. 

So, we consider the case that there exist two vertices x\ ^ X 2 & which 
are in in the same connected component: 

Proposition 2. If there are pairwise different X\,X 2 ,X 3 G 

y G P(iV5'V(f+^) sueh that dist {xi,y) = d+1 and dist {x 2 ,y) < d + 2 

NSVf+^ NSVf+^ 

and dist {xs, y) > d + 2, then Kk < iV5'V(f+^, thus Kk -< Bn- 
NSVf+^ 

Sketch of Proof: The main idea of the proof is to make use of the indiscerni- 
bility property of the vertices in It can be used by considering different 

games in which the duplicator always has a winning strategy. From the possi- 
bilities how the spoiler can play in such games (and will lose), we deduce the 
desired structure result about . 

Let z G P(A5'V(f+^) and dist (a;, z) = d -I- 1. Now, we look at the relative posi- 
tion of z to the vertices in Let k(z) := |{a: G | dist , z) = d+l}\. 

z is chosen in such a way that k(z) is maximal (if there are several such vertices 
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z, we take that with the least number) and k{z) < 

Now, we distinguish three cases: Either k{z) = 1 and there is a vertex in 
that has distance d + 2 from z or 2 < k(z) < 2k or k(z) > 2k. 

If 2 < k(z) < 2k, then the spoiler can exactly verify which vertices in 
have distance d + 1 to z, thus, he can also verify the number of these vertices; 
this is the key to the construction of a Kk : The duplicator has for any 2k vertices 
a:i < • • • < Xk,x'i < ■ ■ ■ < x'f. € a winning strategy in the /i-round game 
on {NSV^^^ ,Vn, xi, . . Xk) and x [, . . . , x'/.), since the vertices in 

are {h, 2fc)-indiscernible, thus, are {h, fc)-indiscernible. The idea is that for 
any K(z)-tuple in exists a vertex z that has distance d + 1 to all vertices in 
that tuple. We obtain from this a Kk, as sketched for k(z) = 3 in Figure 2 for 
the first contraction step. 



Xl X2 X3 X4 X5 X3k 




Zl,3 21,4 21,5 

Fig. 2. The situation 
beginning. 



2l,3fe 

in 



the 




Fig. 3. Contracting the zij. 



Now, we treat the case k{z) > 2k. In contrast to the above case, the spoiler 
cannot verify any more the exact number of the vertices in to which z has 
distance d + 1 in . This requires a different construction of the Kk as 

a minor. Since k(z) < for any such z exists at least one x G which 

does not have distance d + 1 from z. This observation ist the starting point for 
the construction of the Kk in this case: We now consider /i-round games on 
NSV.^^^ , in which in the first structure the 2k least (wrt. <) vertices in 
are distinguished. The idea is that for any 2fc-tuple in exists a z that has 
distance d + 1 to any vertex of that tuple, and a vertex Xi- that has distance 
> d + 1 to z. In order to find k different such vertices z (to construct a Kk), we 
consider iterated games where always at least k same vertices and the xt . are 
distinguished. Figures 4,5 sketch the behaviour. The distance from Zj to xi- is 
greater than d + 1 for j < fc' + 1; this is denoted in Figure 5 by a missing line. 

X\ X2 X3 X2k 

2l 

Fig. 4. After the first 
game. 



X\ X‘2 ^2k — k' 







21 22 Zk' Zfe' + l 

Fig. 5. After the (&' + l)th game. 
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Finally, we have to consider the case k{z) = 1, i.e. two vertices x\ ^ X 2 & 

exist with dist (xi,z) = d + 1 and dist (x 2 ,z) = d + 2. We refer to ^ as 

NSV^+^ 

Zi ^2 and to its neighbour which has distance d + 1 from X 2 as 2 : 2 , 1 . The idea is 
to derive successively for any pair Xi ^ Xj G two such vertices Zij and Zj^i 
and then constructing a from this. 

Thus, any vertex y G V{NSV^^^) with dist (y, 1^+^) = d+1 has either 

distance d + 1 to exactly one vertex in or to all vertices in From 

Proposition 1 follows that at most k — 2 — |S'V^| such vertices can exist that 
have distance d + 1 to all vertices in since otherwise Kk -< Bn- Thus, we 
can add these at most k — 2 — \SV^\ vertices to SV^ and refer to the resulting 
set as . The subset part of condition 2. obviously holds, its second part 

follows from Proposition 1. We obtain condition for values d' < d + 1 from the 
induction hypothesis, since C For d+1, condition 4- follows directly 
by the above construction of what concludes our induction and hence, 

proves Lemma 1. 

q.e.d. 

Proposition 3. Let B be as above, let r G IN be arbitrary, but fixed. Then for 
any Z G IN there is an n G IN and sets In, SVn such that for any x\ ^ X 2 € In 
the following two assertions hold: 

a) B is (fc — 2; 2"^)-separable. 

b) (Bni{V{ AA2J (xi))U5P„) 

\ Bn— SVn / 

~(r+2+ 

[Bni{V{ {x2))USVn),SVn,X2) 

\ Bn—SVn ' 

Proof: Let Z G IN be arbitrary, but fixed. By Lemma 1, there is an n G 
IN such that for d := 2’’ + 1 and h := r + 2’’ there is a set /„ and a se- 
quence . . . , that fulfill conditions 1.-4- We set /„ := In^^ and 

SVn :=SV^\ 

Assertion a) follows from conditions 1. and 4- in Lemma 1 for j = 2’’ < d. 
Assertion b) follows from condition 3. in Lemma 1 and by the transitivity of 
~(r+2'-)) note that by assertion a), the considered structures are pairwise vertex- 
disjoint except the vertices in SVn- It is important to see that /„ was chosen to 
be i.e. from condition 3. in Lemma 1 follows something slightly stronger 

than we require here. 

Let Z G IN be arbitrary, but fixed, let u G IN as in Proposition 3, let 

D := A/”^ {In)- We define a function u and a set function U as follows: 

B„-SV„ 

. . ( y £ In if a; belongs in D to the same component as y 

1+ iix^V{D) 

n(-r\ ■= u{y) = u{x)} U u{x) ^ ± 

^ ' 1 0 otherwise 
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We also allow the argument for 17 to be a set, i.e. for X = {x\, . . Xi} C 
V{D) is U[X) = U{xi) U • • • U U[xi). 

Now, the duplicator chooses the undirected simple connected graph 
Go = {V{Go),E{Go)) (i.e. Go contains no loops or multiple edges) as follows: 

- V{Go) = F(S„) = [n]. 

— E{Gq) is defined according to a)-f), let y, z be arbitrary vertices of Gq: 

a) liy ^ In and z ^ In and Adj{y, z) : {y, z) e E{Gq). 

b) If y G In and z ^ In and z ^ Vn and Adj{y, z) : {vn, z) G E(Gq). 

Br, 

c) If y G In and x G say, y = Xi, z = Xj : (y, z) G E{Gq) iff i = j -1. 

d) {xi,Vn) G E{Go) , {xi,Vn) G E{Go). 

e) Any disconnected component in Bn not containing Vn is connected by 
an undirected edge from one arbitrary vertex of that component to Vn- 

f) {y^ ^ E{Gq) in all remaining cases. 

Intuitively, all i?„-edges are covered by Go-edges except those being incident 
to vertices in these are connected to Vn and any /^-vertex is connected to 
both its neighbours wrt. the order of The largest and the least vertex of /„ 
are connected to Vn- 

Now, the spoiler colors the graph Go with the c colors Gi, . . . , Gc- 

Proposition 4. There exist sets T = {to , . . . , t 2 ’-+i} C In,W = {wo, • • • , W 2 ^+i} 
C In, and two vertiees t-\, W-\ with U < tj,Wi < Wj for — 1 < i < j < 2’’ -|- 1, 
t 2 ’'+i < W-i and Adj{ti-i,ti), Adj{wi-i,Wi) for 0 < i < 2’’ -|- 1 and 

Go Go 

( (Go, Bn, G)iiU{T) U SVn) ,SVn,to,..., t2^ + l ) 

~(r+2G 

(Go, Bn, G)iiU{W) U SVn) , SVn, wo, ... , W2.+1 

Proof: First, we note that T, W are ordered, since they are subsets of the 
ordered set In, furthermore, by t 2 ’'+i < w_i and the ordering of T, W, we have 

that (ru{t_i}) n (W U {w_i}) = 0. 

By Proposition if b), all considered structures belong without coloring to 
the same ~(r+ 2 '-) equivalence class (note that ~(r+ 2 '-)is an equivalence relation 
of finite index). Since c is finite, there are only finitely many ~(r+ 2 '-)equivalence 
classes, when the coloring is respected, thus, our claim follows, because Z G IN 
(the cardinality of /„) can be chosen arbitrarily large by Proposition 3 a^. 

Let TW := T U W, let := {to,ti,wo,wi}. We define a special distance 
measure <5°, let x G [n]: 

{ min{ dist {y,H^)+ dist (x,y) , 2’’ -1- 1 } 

Go—t-i—W-i Bn— SVn 

iff there is y G TW : u{x) = y 
2’’ -I- 1 otherwise 

Thus, if a:, y G Z7(riF) then |J°(a;) — 5°(y)| > 1 => -i Adj {x,y). 

(Go,B„) 
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Corollary 1. The following equivalence holds: 

( (Go, G, <5°H(C/(r) U SVn) , SVn, to,..., t 2 r+i ) 

( (Go, G, <5°H(C/(ir) U SVn) , SVn, wo,..., W 2 ^+i ) 

Proof: By definition, <5° can maximally have 2’’ + 2 different values. Thus, the 
above abbreviation stands for the addition of 2’’ + 2 new unary relations, where 
each vertex is captured by exactly one of these new relations. From Proposition 4 
follows that the duplicator has a winning strategy in the (r + 2’’)-round game 
on the two structures considered here without the new relations encoding 5°. 
The proof is accomplished by showing that the spoiler can easily verify in the 
last 2’’ rounds of that game the 5°-distances of any vertex pebbled during the 
first r rounds. Hence, the duplicator’s pebbling strategy respects the 2’’ + 2 new 
relations in the first r rounds. 

Now, the duplicator chooses the disconnected graph G\ as follows: 

- P(Gi) = V{Go) = V{Bn) = N 

- E{Gi) = E{Go) \ { {to,h) , (wo,wi) } U { {to,wi) , ih,wo) } 

Gi is disconnected, since it contains a cycle Q = {t\, t 2 , . . ., t 2 '-+i, • ■ • , W-\, wq}- 

Afterwards, the duplicator colors G\ identically to the coloring of Go, i.e. 
vertices with the same number obtain the same color. 

Let := H°, define in (Gi,H„) analogously to 5° in {Go, Bn), replace 
the occurrence of by and the occurrence of Go by Gi . Obviously, for any 
X G [n] it holds that 6^{x) = (a;). Furthermore, it is worth to note that the 

two considered structures only differ by four edges (between to, t\, wo, wi); thus, 
we say that both structures are nearly isomorphic. 

Now, the spoiler and the duplicator play an r-round Ehrenfeucht-Frai'sse 
Game that respects the edges of Bn, Go/Gi and the vertex coloring. Our game 
uses partially the method invented by Schwentick [18]; the main idea is that the 
two structures to be played on can both be divided into two substructures such 
that the duplicator has winning strategies for each pair and these two winning 
strategies are then combined to a global winning strategy. In contrast to [18], 
we have additionally to take closer care of the vertices in {to,wo} U SVn', note 
that for any y G SVn it holds 6°^^{y) = 2’’ + 1. 

We need two special distance bounds; these will be defined sucessively during 
the game, in the beginning of the game (i.e. before the first round) they have the 
following values: d{0) := 0, D{0) := 2’’ + 1. Using these bounds, we can define 
two areas J°, in {Go, Bn, 5^) and in {Gi,Bn,S^), respectively, for 

0 < q < r as follows: 

H^B{q) := { a: G [n] ] 5^/^{x) < d{q) } U SVn 

J°/^{q) := {a; G [n] j (5°/^ (a:) > D{q)} U SVn U {to,wo} 

Lemma 2. The duplicator can play in such a way that after the qth round 
(0 < g < r) for pebbled vertices Aq := {a\, . . .,aq} C [n] in {Go, Bn) and 
Bq := {b\, . . . ,bq\ C [n] in (Gi,H„), the following assertions (i)-(iii) hold: 
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(i) For {qi, . . . ,qj} C [g] it holds ... ,aq.} = J°{q) iff {bq^, . . . ,bq.} = 

Bq n (q) and if , . . . ,aq^} = AqCiJ^^q) then the identity function maps 

{Go,Bn,C,6°)i{{[n]\H°{q)) U S'K, U {^o, wq}) ,SVn,to,WQ,aq^,. ..,aq.^ 

isomorphieally to 

{Gi, Br,, C, d^)i{{[n]\H^{q)) U S'K, U {^o, wq}) , SVn,to,WQ,bq^, . ..,bq.^ 

(a) For {q{,..., g',} C [g] it holds {a,; , . . . , a,/, } = A, n H°{q) iff {6,/ , . . . , 6,/, } 
= Bqf] H^{q) and if , . . . , } = Aq Cl F[^{q) then 

(Go, Bn, G, U SVn U {to, Wo}) , SVn, to. Wo, aq!^,..., Oq', ^ 

'^(r-q) 

(Gi, Bn, G, S'^)i{[n]\J'^{q)) U SVn U {^o, woj) , SVn,to,wo,bq>^, . ..,bq>^^ ^ 
(Hi) D{q) — d{q) > 2''“'^ and {J^{q)r\Aq) U (F[^{q)riAq) = Aq . 



Proof: We show the claim by induction on q: 

For q = 0, the first part of assertion is trivial; the second follows, since 
both structures are nearly isomorphic. For assertion (ii), the first part is again 
trivially fulfilled. The second part is obtained as follows: The two substructures 
of {Go, Bn, G, 5^) considered in Corollary 1 are ~r-equivalent. Since both struc- 
tures are nearly isomorphic, and <5° (a;) = <5^ (a;) for any a; G [n], we obtain that 
{Go, Bn, G, 5^) and {G\, Bn,G,S^) are isomorphic (not only indistinguishable) 
to each other except the edges in Thus, the two structures considered in 

assertion (ii) are without the edges in ^^-equivalent. But for these edges, 
the assertion follows directly from the construction of Go and G\ . The first part 
of assertion (Hi) follows directly from the definitions of d(0) and T*(0), the second 
part holds, since no vertex is pebbled yet. 

Assume that assertions (i)-(iii) hold after q < r rounds. We now consider 
the q + 1st round, say, the spoiler pebbles a^+i in (Go, Bn, G, 5^): 

If S°{aq+i) > d{q) + and Oq+i ^ SVn, then the duplicator pebbles 

the same vertex in (Gi, Bn, G, <5^). We set D{q + 1) := min{H(q'), <i°(aq+i)} and 
d{q + l) :=d{q). 

The first part of assertion (Hi) is straightforward. Its second part follows from 
the induction hypothesis and the fact that a^+i G J^^{q + 1). 

Assertion (i) follows directly from the induction hypothesis and the fact that 
bq+i was pebbled identically to a^+i by the duplicator. 

Assertion (ii): The first part follows directly from the induction hypothesis, 
since Aq+\ n H^{q -t- 1) = n H°{q). The second part of the assertion follows 
directly from the induction hypothesis, if D{q+ 1) = D{q). Otherwise, by asser- 
tion (ii) of the induction hypothesis, the duplicator has a winning strategy that 
respects the additional 2’’ -|- 2 relations encoding <5° A in an (r — ( 7 )-round game 
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on the structures considered there, li D{q + 1) < D{q), then the structures con- 
sidered now in assertion (ii) are proper substructures of those in the induction 
hypothesis (ii). Since the substructures considered now result from the former 
in a way that respects the strategy of the duplicator in the induction hy- 
pothesis is, when applied now, again a winning strategy. Thus, also in this case 
assertion (ii) follows from its validity in the induction hypothesis. Note that we 
have something slightly stronger than required: The duplicator has a winning 
strategy in an r — g-round game on the structures considered now, but we only 
need a winning strategy in an (r — {q + l))-round game. 

Vn 

/„ { • • • — • — T'mr' m —9H-4— ■ ■ ■ ~ ~ -C - • ■ ■ • 

t — i to ti t2 t2^ t 2 ^ + l W~i Wo Wl W2 W2^ W2'^+l 

U{t 2 r-) U{W 0 ) 

• {s} = sv„ \K} 



In { 



Vn 




Fig. 6. A sketch of the structures {Go, Bn) and {Gi, Bn) for the case |S'14,| = 

2 . 



If J°(aq+i) < d{q)+2^~^'i^^'> and ^ {to, wq}, the duplicator pebbles 6q+i 
in {Gi, Bn,G,S^) according to his winning strategy from assertion (ii) of the 
induction hypothesis. We set d{q + l) := max{d(( 7 ), J°(aq+i)}, D{q + 1) := D{q). 

The first part of assertion (Hi) is again straightforward, the second part of it 
follows from the induction hypothesis and the fact that «q+i G H^{q -t- 1). 

The first part of assertion (i) follows directly from the induction hypothesis, 
since G H^{q + 1) and bq+\ G H^{q + 1). The second part of assertion (i) 
follows directly from the induction hypothesis, since we now consider (not nec- 
essarily proper) substructures of those considered in the induction hypothesis. 

For assertion (ii) the first part follows, since 6q+i was pebbled according to 
the winning strategy of the induction hypothesis, hence, we obtain 6^{bq^i) = 
S^{aq+i) (note: is encoded into both structures considered in the induction 

hypothesis), thus especially it holds that G H^{q + 1). The second part of 
assertion (ii) follows directly from the induction hypothesis, since the duplicator 
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pebbled bq+\ according to the winning strategy supposed there. 

If Uq+i G {SVn U {tojWo}), the duplicator pebbles the vertex bq+i in 
(Gi, Bn, C, 5^) with the same number. We set d{q + l) := d{q), D{q + 1) := D{q). 

Assertion ( in ) follows immediately. 

The first part of assertion (i) holds, since by definition of J^/^{q + l) it holds 
that J^/^{q + 1) D {SVn U {to, Wo}). The second part of assertion (i) follows, 
since the duplicator pebbled identically. 

The first part of assertion (ii) holds, since by definition of H^^^{q + 1) it 
holds that H°^^{q + 1) Z) {SVn U {to,wo}). The second part of assertion (ii) 
holds directly by the induction hypothesis, since a^+i is a distinguished vertex 
in the first structure considered there, thus, since &q+i was pebbled identically to 
Uq+i, the former is the corresponding distinguished vertex in the second struc- 
ture considered there. 

If the spoiler pebbles in the {q+ l)-th round a vertex bq+i in (Gi, Bn, C, 5^), 
the duplicator pebbles a^+i in {Go,Bn,C,S°) analogously to the above case 
distinction. 

The validity of the assertions (i)-(iii) follows in the analogous way as above 
(note that for the second part of assertion (Hi), one has first to verify the first 
parts of assertions (i) and (ii)), what concludes our induction. 

Figure 6 gives a small sketch how both structures look for the special case 
SVn = {vn, s|, hence, \SVn\ = 2. The dashed lines stand for Bn-edges, the other 
lines for edges of Go or Gi, respectively. 

Finally, we have to show that for q ^ q' it holds that 

( ( ^0 , ddn , G ){{Ug , Qyq' } , Qyq , dqf ) = ( ( Gl , Bn , G ){{f^g , ) • 

If {aq,a'q} C J^{r), this follows from assertion (i) of Lemma 2. 

If {aq,a'q\ C H^{r), then this follows from assertion (ii) of Lemma 2. 

If {dq,a'q\ H^{f’), and {aq,a'q} d°(r), then from the second part of as- 
sertion (Hi) of Lemma 2 follows that either a, G H°{r)\{SVn U {to,wo}) and 
dqi G J^{r)\{SVn U {to, Wo}) or vice versa. Thus, we have by the first part 
of assertion (Hi) of Lemma 2 (note that from {aq,a{} d°(r) follows that 

{aq,aq'} C U{TW)) that |5°(aq) — J°(aq/)| > 1, thus, we obtain -i Adj {aq,aqi) 

(Go.B„) 

and -1 Adj {bq,bqi), and we are done. 

All in all, we obtain that the duplicator has a winning strategy in the r-round 
game for Graph Connectivity and MonA} enriched by the built-in relation B, 
what concludes our proof. 



q.e.d. 
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4 Summary 

Our result yields an affirmative answer in the direction of the question of Fagin, 
Stockmeyer and Vardi [9], whether Graph Connectivity is not in Monil'l even 
in the presence of built-in relations of large degree. 

Using the idea that any graph G = {V{G),E{G)) is a minor of the complete 
graph we obtain the following: 

Theorem 3. Graph Connectivity is not in MonS\ even in the presence of an 
irreflexive symmetric built-in relation that does not have an arbitrary, but fixed 
finite graph H = {V{H),E[H)) as a minor. 

Thus, we have negative definability results for all classes of graphs given in 
Table 1, since all classes of graphs listed there have at least one forbidden minor. 

When we consider classes of simple graphs which are minor-closed (i.e. such 
a class contains all minors of isomorphic copies of its members), it follows from 
the results of Robertson and Seymour [16,17] (see also [4], Corollary 12.5.3) that 
the minimal set of forbidden minors of that class is finite. Thus, we can derive 
a more general result for minor-closed classes of symmetric irreflexive binary 
relations: 

Corollary 2. Graph connectivity is not in MonE\, even in the presence of an 
arbitrary built-in relation which belongs to a minor- closed class of irreflexive 
symmetric binary relations which is not equal to the class of all irreflexive sym- 
metric binary relations. 

As already mentioned in Table 1, the class of graphs that do not have the 
complete graph as a minor for a certain A: G IN contains many other classes 
of graphs. For these, our result also holds. We give one corollary: 

Corollary 3. Graph Connectivity is not in MonS\ even in the presence of an 
irreflexive symmetric built-in relation that has bounded tree-width. 



Classes of Graphs 


Tree-Width 


Trees / Forests 


1 


Chordal Graphs with maximal clique size k 


< k 


Partial fc-Trees 


< k 


Series-Parallel Graphs 


< 3 


Outerplanar Graphs 


< 3 


Halin Graphs 


< 4 


Complete Graph Kk 


k - 1 



Table 2. Collection of some known lower bounds for tree- width. 



Table 2 gives an overview of classes of graphs that are captured by the class 
of graphs of tree- width k. 
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Abstract. We look at various uniform and non-uniform complexity 
classes within V /poly and its variations L/poZy, NL/poZy, NP/poZy and 
PSpace/poZy, and look for analogues of the Ajtai-Immerman theorem 
which characterizes ACq as the non-uniformly First Order Definable 
classes of finite structures. We have previously observed that the Ajtai- 
Immerman theorem can be rephrased in terms of invariant definability. 
A class of finite structures is FOL invariantly definable iff it is in ACq. 
Invariant definability is a notion closely related to but different from 
implicit definability and A-definability. Its exact relationship to these 
other notions of definability has been determined in [Mak97] . 

Our first results are a slight generalization of similar results due to 
Molzan and can be stated as follows: let C be one of L,NL,P, NP, 
PSpace and £ be a logic which captures C on ordered structures. Then 
the non-uniform £-invariantly definable classes of (not necessarily or- 
dered) finite structures are exactly the classes in C/poly. We also con- 
sider uniformity conditions imposed on invariant definability and relate 
them to uniformity conditions on the advice sequences. This approach is 
different from imposing uniformity conditions on the circuit families. 
The significance of our investigation is conceptual, rather than technical: 
We identify exactly the logical analogue of uniform and non-uniform 
complexity classes. 
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1 Introduction and survey of results 

In this paper we propose a way to unify various notions of definability from model 
theoretic logic, formal language theory and descriptive complexity theory. Their 
common theme is definability using auxiliary predicates. This paper continues 
the analysis in [Mak97] of the notion of invariant definability, the definition of 
which will be given below. Special cases of invariant definability have been used, 
more or less explicitly, in various contexts of finite model theory and descriptive 
complexity theory. We assume the reader is familiar with the basics of complexity 
theory as given in [Joh90,BS90] and of descriptive complexity theory as given in 
[EF95,Imni9x]. Unless otherwise stated all structures considered are finite. 

We see the main merit of this paper in its synthesis of various observations 
concerning the logical description of uniform and non-uniform circuit complex- 
ity classes within the polynomial hierarchy and their relationship with the corre- 
sponding Turing complexity classes. The purely logical aspects of invariant de- 
finability and its relationship with Turing complexity classes were already pre- 
sented in [Mak97]. Related and overlapping work was incdependently obtained in 
the widely overlooked} beautiful paper by Mohan [Mol90], and more recently, in 
[AB97]. 

We deal with logics C such as First Order Logic FOL, possibly extended 
by a determinsitic (non-determinsitic) transitive closure operator DTC (TC), 
denoted by FOL-\-DTC {FOL-\-TC)\ (Existential) Second Order Logic (ESOL) 
SOL] and Inflationary (Partial) Fixed Point Logic IFF (PFP). For detailed 
definitions we refer to the textbook [EF95]. Vocabularies are sets of relation 
symbols. They are denoted by r, <t or R,S with R = {i?i, . . . J?„}, depending 
whether we emphasize the vocabulary as an abstract entity or as an explicit 
set of relation symbols. For a logic C we denote by C{t) {C{R)) the set of r- 
sentences of C, by for </> G U(r) by MOD{(f>) the class of finite r-structures 21 
such that 2t 1= (/), and by DEF{C{t)) the classes K of finite r-structures of the 
form K = MOD{(j)) for some sentence (j) G C{t). For two logics Ci and £2 we 
write Cl C C 2 if DEF{Ci{t)) C DEF{C 2 {t)) for every vocabulary r. 



1.1 Invariant definability: Definitions 

Let R and S be two disjoint sets of relation symbols and let £ be a logic. 
Furthermore, let Kq and K be two classes of (finite) R, respectively S structures, 
both closed under isomorphisms. If 21 is an 1? U 5-structure we denote by 2t|g 
the restriction of 21 to interpretations of S. Conversely, 21 is called an expansion 
o/2l|g. To introduce our notions of invariant definability we first make precise 
what we mean by the statement a formula 4>{R, S) with predicate symbols R and 
S does not depend on the interpretation of R over Kq. This holds if for any two 
(finite) R U 5-structures A and B such that .4|g = B\g and A\pj^, Kq we 

have that A \= (j) iS B \= (j). 

^ Our result was also obtained independently of [Mol90] . The paper was pointed out 
to us by an anonymous referee of CCC’98 
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Definition 1. Let 4>{R, S) a formula in C{R U S). 

(i) (p defines a class of S -structures K invariantly over Kq (or just 
K(j-invariantly) if for any (finite) R U S-structure A with A\p^ € Kq we 
have that A\= (p iff A\g G K. 

(ii) K is invariantly definable over Kq, if there is a p which defines K invariantly 
over Kq. 

(Hi) If, additionally, Kq is definable by an C{R) formula ip, we say that K is 
strictly invariantly definable over Kq . 

If we want to stress that Kq is not required to be C{R)-definable, we say that 
K is weakly invariantly definable over Kq . 

Kq gives us the auxiliary relations which interpret the auxiliary predicates 
R. One easily sees that if p defines a class of 5-structures K invariantly over Kq 
then p does not depend on the interpretation of R over Kq. This is the reason 
we call this notion of definability invariant. 

Let f) be a class of classes of finite structures which all are closed under 
isomorphisms. Typically, Sj could be given as the class of all K definable in some 
logic C or the class of languages (or classes of finite structures) recognizable in 
some complexity class. K is .^-invariantly definable in C if there is a Kq G Sj and 
a p such that p defines K iLo-invariantly. Sj defines the range of possible Kq’s 
which are allowed as auxiliary classes Kq. 

Various fi have been considered in the literature. Typically fi could be one 
of the following: 

(i) Sj consists of all numerical relations (predicates). Numerical relations are re- 
lations whose isomorphism type is uniquely determined by the cardinality of 
the underlying universe. In model theoretic terms these are the fin-categorical 
classes Kq of r-structures where r consists of a single relation symbol. A class 
of finite r-structures is fin- categorical if any two structures of the same finite 
cardinality are r-isomorphic. Immerman, [Imm87, theorem 6.2], considers 
this case for the notion of FOL definability using auxiliary predicates in his 
characterization of ACq. Molzan [Mol90, theorem 3.3] considers this case 
in his characterization of non-uniform L,NL and P. Gurevich and Lewis, 
[GL84] use a notion of definability using free predicate variables, which is 
equivalent to this case as well. 

(ii) ^ consists of ISO{t), i.e. all classes Kq of finite r-structures closed under 
r-isomorphisms. Hence it includes the numerical relations. Ajtai uses this 
notion of invariant ii-definability in FOL for his non-definability results in 
[Ajt83]. 

(iii) S) contains exactly one numerical class Kq. In [Imm87] this notion is used 
with Kq = Slice the class of finite successor relations, to characterize 
the complexity classes L,NL and P. With Kq = ORD, the class of linear 
orderings the same characterizations are obtained. 

(iv) consists of all the classes Kq which are closed under substructures. In 
[Mak97] we have characterized the numerical predicates which are closed 
under substructures and have found that the linear orderings are in a certain 
sense the only such class. 
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(v) S) consists of numerical predicates which are constructible or recognizable 
within some complexity bound, such as polynomial time or logarithmic space. 
Such uniformity conditions were considered in a series of papers by Bar- 
rington, Compton, Gurevich, Immerman, Lewis, Straubing, Therien, e.g. 
[GL84,BCST92,BIS90,BI94,Str94] . 

(vi) Sj consists of DEF{Ci), i.e. all the classes definable in a logic (with- 
out auxiliary predicates). ORD is FOL-definable in this sense {ORD G 
DEF(FOL)), but SUCC is not (as we can not express the absence of cy- 
cles). In section 4 we shall discuss the impact of this choice for various C\. 
We shall see that this notion is rather robust under variations of C\. For Li 
with DEF{FOL) C DEF{Ci) C DEF{ESOL) we get the same DEF{Ci)- 
invariantly definable classes in C. 



1.2 Guiding examples 

Recall that denote by ORD the class of finite linear orders. 

Example 1. 'Even is the class of finite sets (= structures over the empty vocab- 
ulary) of even cardinality. Even is in ACq, but is not definable in IFP or even 
PFP, cf. [EF95]. It is easy to see that Even is Ao-invariantly EOL-definable 
with Kq the class of ordered structures with an additional unary predicate P 
which colors every second element in the order. 



Example 2. Let A be a class of 5-structures and Kqrd the class of 5 U {i?<}- 
structures which are ordered expansions of structures in K. Assume that 
4>{S, ii<) defines K Oi?ZI-invariantly in a logic C. In particular we assume 
w.l.o.g. that (f) also says that i?< is a linear order. Then i?<) defines Kqrd- 
The contrapositive is useful: EvenoRD is known not to be EOL-definable. A 
simple Pebble game will establish this, cf. [EF95] . We conclude that Even is not 
Oi?H-invariantly EOL-definable. 



Example 3. Parity is the class of finite structures for one unary predicate which 
has even cardinality. Glearly Parity is in L, but it is not in ACq, cf. [BS90], 
by the famous result of Ajtai [Ajt83] and Furst, Saxe and Sipser [FSS84]. As 
in the previous example, it is easy to see that Parity is not Oi?ZI-invariantly 
EOL-definable. In contrast. Parity is Oi?Z?-invariantly FOL + DTC-deRnahle. 



Example 4- s-t-conn (also called Gap) is the class of directed graphs {V, E, s, t) 
with two distinguished vertices s,t and edge relation E such that there is an 
E-path from s to t. s-t-conn is EOL-t-TG-definable, and hence JEP-definable. 
Ajtai [Ajt89] has shown that s-t-conn is not in ACq. 
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1.3 The Immerman— Sazonov— Vardi Theorem revisited 

The by now classical results in descriptive complexity theory, cf. the monograph 
[EF95] and [SazSO] , show that various complexity classes such a polynomial time 
(space) can be captured by logics in the presence of a linear order or labeling 
of the underlying structures. Here we understand under C captures a complexity 
class C on ordered structures that for every class of ordered S'-structures K we 
have that iF G C iff there is an T(5)-sentence </> with 21 G iF iff 21 ^ 

The following argument shows that capturing complexity classes by logics in 
the presence of ordering can be recast in terms of invariant definability. 

Let £ be a logic (not weaker than FOL), C a complexity class (not below 
Logspace L, say). If £ captures C on ordered structures, then it just follows 
that a class K of (not necessarily ordered) 5-structures is in C iff it is ORD- 
invariantly £(5u {i?<})-definable. For the interesting direction, assume K € C. 
Then also Kqrd & C, hence Kqrd (from Example 2) is £(5u {i?<})-definable 
by a sentence (j). But by the definition of Kqrd it contains all the possible 
ordered expansions of structures in K, hence <p defines K invariantly over ORD. 
Conversely, if K is Oi?£)-invariantly definable in £ by some <j) which also asserts 
that i?< is a linear order, the same (j) defines Kqrd- Therefore Kqrd, and a 
fortiori K, are in P. So we have 

Theorem 1 ((Immerman, Sazonov, Vardi)). Let Kq be the class of finite 
linear orders, Kq = ORD, and K be a class of R structures. Then K is in ~P iff 
there is a G IFP(R U {i?<}) which defines K ORD -invariantly. 



1.4 The Ajtai— Immerman Theorem revisited 

In [Mak97] we showed the following variation of [BS90, theorem 3.21], there 
attributed to Ajtai and Immerman. Actually, Immerman showed this in [Imm87, 
theorem 6.2] for definability over numerical relations. 

Theorem 2 ((Ajtai, Immerman)). A class of t - structures is in ACq iff it 
is ISO{(j)-invariantly definable in First Order Logic. 

To see this we exploited a close relationship between the notion of invariant 
definability and a notion of definability previously studied by Ajtai [Ajt83, Ajt89] . 
Ajtai’s notion of definability was introduced to prove negative results in cir- 
cuit complexity and is stronger than invariant definability, cf. [BS90]. It is 
easy to see that even non-recursive languages may be Ajtai- definable (as well 
as /50-invariantly definable). In particular Ajtai showed that neither Parity 
nor s-t-conn (Gap) are ACo-definable, hence they are not weakly invariantly 
EOL-definable. 



1.5 Capturing non-uniform complexity classes 

We want to explore the connection between invariant definability and descriptive 
complexity for non-uniform circuit complexity classes. Let / : N — ?• N. An f{n) 
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advice sequence is a sequence of binary strings A = (ai,a 2 , . . .) where | a„ |< 
/(n). For a language B C {0, 1, jj}* let B@A = {x : x^lf,a\x\ G B}. For a space or 
time bounded complexity class C we define, following [BS90], 

Cj f = {i?@A : B € C and A is an f{n) advice sequence for some A} 

Finally C/poly = IJj, Cjn^ . We are mostly interested in the non-uniform ana- 
logues of P ( deterministic polynomial time), NP ( non-deterministic polynomial 
time), L ( deterministic logarithmic space), NL (non-deterministic logarithmic 
space) and PSpace ( deterministic polynomial space), which are denoted by 
V /poly, NP/po/y, L/po/y, NL/po/y and PSpace/po/y respectively. 

We generalize this to finite structures as follows. Let R and S be two disjoint 
sets of relation symbols. Let c : Sir {0, 1}* be a coding of finite structures 
as words and K a class of 5-structures. An 5-advice sequence is is a sequence 
of 5-structures (2li,2l2, . . .) such that the universe of has cardinality n. Let 
Bk = {c(25) : 25 G K} and A = {c(2li) : i G N}. We now say that a class 
of 5-structures K G C/poly if there exists an 5-advice sequence such that 
Bk@A G C Furthermore we note that Bk@A can be viewed as the encodings 
of 5 U 5-structures £ such that £|;j = 2ti for some * G N and £|g G iL. Clearly, 
5-advice sequences are always polynomially bounded. 

The first result of this paper is the following (easy) theorem. For numerical 
relations this was already shown by Molzan [Mol90], a paper which has been 
widely overlooked. 

Theorem 3. Let K be a class of finite R-structures. 

(i) K is in F/poly iff K is ISO{S)-invariantly definable in IFF. 

(ii) This generalizes to: 

K is in L/poly (NL/po/y, NP/po/y, PSpace/po/y/ ijf K is 

ISO{S)-invariantly definable in FOL + DTC (FOL + TC , ESOL, PFP). 

The proof is given in section 2 and uses two lemmas on advice sequences and 
the Immerman-Sazonov-Vardi theorem. 



1.6 Implicit and /^-definability 

The reason we introduced in [Mak97] .^-invariant //-definability for its own sake 
lies in the fact that in the case with Sj = DEF{L) and C a sublogic of Second 
Order Logic, it gives rise to well defined logics with its definable classes of struc- 
tures lying well within the polynomial hierarchy (in NP n CoNP in the case of 
first order logic). In section 3 we shall define the notion of implicit definability 
and A-definability and state precisely the relationships between these three. 



1.7 Uniformity conditions 

It is now natural to ask what happens if we restrict our advice sequences to 
definable or computable sequences. As an advice sequence A = (ai,U 2 , . . .) is a 
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function the range of which could be finite, we look at the complexity (defin- 
ability) of the set {I’^Un ■ n € N}, i.e.the complexity of the graph of the advice 
sequence. Let us denote by P/P (P/NP, P/FOL) the class of languages recog- 
nized by polynomial time Turing machines with advice sequences in P (NP, 
FOL-definable). We can generalize this notation to C/D, for pairs of complex- 
ity classes C, D or to C/C for a complexity class C and a logic C. In our general 
notation this is just C/Sj with .ft = D or .ft = DEF{C). 

Theorem 3 can easily be generalized to 

Theorem 4. A class of S -structures K is in P/P (P/NP, P/FOL) iff K is 
P- (NP-, FOL-) -invariantly definable in IFF. 

In section 4 we shall further investigate how the restrictions on the advice 
sequences affect the circuit complexity classes. 



1.8 Significance of the results 

The results of this paper are technically not difficult and they are primarily 
of conceptual interest inasmuch as they exhibit a new feature which allows us 
to capture both a Turing complexity class, say P, and its non-uniform circuit 
complexity analogue, here P /poly, with variations of invariant definability in a 
logic, here IFP. 

In particular we can see now the uniformity/non-uniformity of P and P /poly 
in the following way: 



Uniformly order invariantly definable: There is a class Kq, actually Kq = 
ORD, such that for every class of finite .R-structures K we have isT G P iff iST 
is Kq invariantly definable in IFP. In other words P = P/ft with ft = {ORD}. 



Non-uniformly invariantly definable: For every class of finite i?-structures K 
we have K €P /poly iff there is class Kq such that K is Kq invariantly defin- 
able in IFP. 

Related and similar results have been obtained by various authors and will 
be discussed in more detail in section 5. 

Ajtai has succeeded in showing that Parity is not in ACq using logico- 
combinatorial methods, [Ajt83]. In fact he showed that Parity is not invariantly 
FOL-definable. The question is whether Ajtai’s methods can be extended to 
some other logics such as IFP ? A positive answer would allow us to exhibit 
(recursive, low complexity) classes K of structures which were not in P /poly. 



Remark 1. L. Hella has noted that every class of finite graphs closed under 
isomorphism is Oi?D-invariantly definable in C/^ 
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2 Characterizing V f poly and its friends 

In this section we sketch a proof of theorem 3. The proof uses two lemmas 
on advice sequences. A polynomial advice sequence IE is a sequence of binary 
strings iVi,i G N where the size of wi is polynomially bounded in i. We think 
of Wi as coding a set of relations interpreting the relation symbols of Rq on the 
universe {1, ...,*}• 

Let R = RqU{R^} where i?< is a binary relation symbol whose interpretation 
is the natural linear order on the universe of the structure. Let Kw be the 
class of (ordered) R-structures with the interpretation of the relation symbols 
in Rq encoded by W. Kw has, up to isomorphism, exactly one member in each 
cardinality. 

Let C be a complexity class. In the notation of the previous section, we say 
that a class of R-structures K is in C/poly with polynomial advice sequence W 
ifB^@WGC. 

Lemma 1. Let K be a class of finite S -structures. If K G F /poly with polyno- 
mial advice sequence W then K is Ky/ -invar iantly definable in IFF . 

Proof. (Sketch) Assume K G F/poly with polynomial advice sequence W. So 
the language Bk@W G P and a word x G Bk@W codes an (ordered) RU S- 
structure for a suitable chosen set of relation symbols R. By the Immerman- 
Vardi-Sazonov Theorem there is an R U R-sentence in IFP which defines {Sta, : 
X G Bk@W}. As W is an advice sequence, </> does not depend on R over Kw = 
m.)\R : 2ta; 1= (/)} and <j) defines K Rw-invariantly. □ 

Recall that a class K of finite R-structures is fin- categorical if K has models 
in each finite cardinality and any two 2t, 05 G RT of the same cardinality are iso- 
morphic. If K is fin-categorical, it can be used as an advice sequence. Conversely, 
every R-advice sequence can be viewed as an fin-categorical class of finite struc- 
tures. From a model theoretic point of view, there is a one-one correspondence 
between advice sequences and fin-categorical classes, because the structure 
depends only on the cardinality of its universe. Clearly, any class K with models 
in every finite cardinality contains a fin-categorical subclass Ki . 

Lemma 2. Let K be a class of finite S-structures and Kq be a class of finite 
R-structures. If K is KQ-invariantly definable in IFP and K\ C Kq is fin- 
categorical then K G V /poly with R-advice sequence defined by K\. 
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Proof. (Sketch) Let </> be the IFP{R U >S)-sentence which defines K 
iLo-invariantly. Then the same formula defines K iLi-invariantly. Hence 
Bk@Wki G P. As Ki is fin-categorical, it can be viewed as an ^-advice se- 
quence. □ 

Assume C is any complexity class which is captured by a logic C over ordered 
structures. Then both lemmas hold also if we replace P by C and IFP by C. 
Theorem 3 now follows immediately. 

3 Implicit, invariant and .^-definability 

We recall the following standard definitions, cf. [BF85] 

Definition 2. Let C he a logie. Let K be a elass of S -structures. 

(i) K is a £- projective class if there is a vocabulary R and a sentence 4> in 
C{RUS) such that 2t G iL iff there is an expansion of to a R\J S- structure 
^ such that ^\= 4>. 

(ii) A{C) is the family of classes K of a -structures such that both K and its 
complement are C-projective classes. 

(Hi) A logic C is Z\-closed if every K G A{C) is definable in C. 

FOL is Z\-closed if we allow finite and infinite structures. FOL is not A- 
closed if we only allow finite structures. IFP on finite structures is not Z\-closed: 
It is well known, cf. [EF95], that EVEN is not definable in IFP, but it is easily 
seen to be in A{FOL), and hence in A{IFP). Second Order Logic is Z\-closed on 
finite structures. This follows from the closure under quantification over relation 
variables. 

First we note that our strict invariantly definable classes are special cases of 
projective classes. 

Lemma 3. Let Kq be C{R)- definable by a sentence 6. If a class of S -structures 
K is strictly KQ-invariantly C-definable by the C{R U S)-sentence 4> then 

(i) K iff^\= 3R{0{R) A S)_) 

(ii) iAGK iff ^\= Vi?(6i(i?) ^ (j){R, S)) 

In other words, if K is strictly KQ-invariantly C-definable, then both K and 
its complement are C-projective classes. Clearly, Parity is in A[FOL), but by 
example 3, it is not strictly invariantly FOL-definable. 

Given a logic C the logic IMP{C) C A{C) is defined in [EF95] as follows: 

Definition 3 ((The logic IMP{C))). An IMP{C){T)-formula (f){x) with free 
variables among x is a tuple 

(ipl {Rif . . . , V^(^5 -^)) 

where each ipi is an C{t U {Ri})- sentence and if is an C(j U {R})-formula with 
free variables among x. Furthermore, we require that every finite r-structure A 



Invariant Definability and V j poly 151 



has exactly one expansion to an [t U {R})- structure A satisfying the conjunction 
ipi{Ri) A ... A ifmiRm)- Now the meaning of (p is given by A \= 4>{a) iff A \= 
ip{a,R) where the Ri in A are interpreted to satisfy ipi{Ri). 

It is easy to see that IMP(C) C A(C). 

Now we want to show that invariant definability is incomparable with implicit 
definability. 

Definition 4. A t - structure A is trivial if every permutation of the universe of 
A is a T -automorphism. A relation R"^ on A is trivial if the structure < A, R^ > 
is trivial. 

The following is well known and can be proved using pebble games: 

Lemma 4. Assume the vocabulary r is empty and C is a sublogic of finite vari- 
able infinitary logic Then the implicit definitions just define trivial re- 

lations. Furthermore, every implictly FOL-definable relation is already FOL- 
definable. 

The following theorem was proved by Kolaitis [Kol90] , cf. also 
[EF95] [corollary 7.5.9]. 

Theorem 5 ((Kolaitis)). IFP C IMP{FOL) over finite structures, i.e. every 
I F P -definable class of finite structures K is also IMP[FOL)- definable. 

Remark 2. Theorem 5 is false if we allow infinite structures. To see this we 
note that IFP on infinite structures properly extends FOL and is not compact, 
whereas IMP{FOL) = FOL. 

We denote by INV {FOL) the class of classes of finite structures which are 
strictly invariantly definable in FOL. We already know that both IMP{FOL) C 
A{FOL) and INV {FOL) C A{FOL). 

In [Mak97] we showed 

Proposition 1. INV {FOL) and IMP{FOL) are incomparable. More precisely: 
Even e INV{FOL)-IMP{FOL) and s-t-conn € IMP{FOL)-INV{FOL). 

Proof. Even G INV {FOL) — IMP{FOL) follows from example 1 and lemma 
4. s-t-conn G IMP{FOL) — INV {FOL) follows from example 4, theorem 2 
and theorem 5. □ 

The notion of invariant definability is not interesting for traditional First 
Order Logic {FOL) over arbitrary r-structures, as the following shows: 

Proposition 2. If a class of a-structures K is strictly Ko-invariantly FOL- 
definable on all (finite and infinite) structures then K is already FOL-definable. 
Moreover, If C is a A-closed logic, i.e. if A{C) = C, then every class K G 
INV{C) is already C- definable. 

Proof: By lemma 3, both K and its complement are projective classes in FOL, 
and therefore, by Craig’s Interpolation Theorem for FOL, K is EOL-definable. 

□ 
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4 Uniformity conditions 

As we said in the introduction it is now natural to ask what happens if we restrict 
our advice sequences to definable or eomputable sequences. In view of the one- 
one correspondence between fin-categorical classes and advice sequences, we say 
that an .R-advice sequence G N) is in a complexity class C if the class of 
structures K = {2ti : * G N} G C. Similarly, we say that the R-advice sequence 
(2ti, * G N) is definable in a logic C if there exists a R-sentence (f) in C such that 

05 G R: iff 05 h <^- 

Let C, D be complexity classes and £ be a logic. Let us denote by C/D (C/£) 
the class of languages recognized by machines from C with advice sequences in 
D (definable in C). 

Note that this notion of uniformity imposed on the complexity of the advice 
sequence is different from the usual uniformity imposed on the complexity of the 
circuits. 

It is well known, [BS90, Theorem 2.2], that K G P/poly iff K has polyno- 
mial circuit complexity. Our uniformity condition concerns in the complexity 
or definability of the advice sequence, not of the circuits. A priori, this is a 
weaker assumption, as it does not affect the circuit size. For uniformity con- 
ditions imposed on the circuit families, cf. [BIS90,BI94j. However, the proof of 
[BS90, theorem 2.1] shows that for polynomial size circuits the two uniformity 
conditions are related, as the circuits can be computed from the Turing machine. 
We shall elaborate on the exact relationship between the two kinds of uniformity 
in subsequent paper. 

Theorem 3 can easily be generalized to 

Theorem 6. If a logic C captures the complexity class C over ordered struc- 
tures, then K G C/C iffK is strictly invariantly C-definable. 

Proof. We prove it for C = P and C = IFP, leaving the generalization to the 
reader. As ORD is ROL-definable it is also JRR-definable (this holds also for 
other C, as logics are assumed to be extensions of FOL). Now for K strictly 
invariantly definable in IFP we have K G P/P. Conversely if RT G P/P, there 
is a R-advice sequence A with {l"a„ : n G N} G P such that Bk@A G P. 
Hence there is a </> G IFP{R\J S), which defines K invariantly using the class of 
ordered R-structures Ka and also Ka G P. Using the Immerman-Sazonov-Vardi 
Theorem, we get that Ka is definable in IFP. □ 

The same idea gives also the following generalization: 

Theorem 7. Let be logics which capture complexity classes Ci,C 2 re- 

spectively on ordered structures. A class of S -structures K is in C 1 /C 2 iff K is 
C 2 -invariantly definable in L\. 

Furthermore, advice sequences which are in NP do not help much in the 
following sense: 

For L C SOL let ExistC be the the class of existential second order formulas 
3S(j){R, S) with (/) G T. Recall that, by Fagin’s theorem, cf. [EF95], K G NP iff 
K is definable in ExistFOL. 
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Theorem 8. For a regular logic C, a class K is strictly invariantly C-dejinable 
iff K is ExistC-invariantly C-definable. 

In particular, a class K is strictly invariantly FOL-definable iff K is ExistFOL- 
invariantly FOL-definable iff K is 'H'P -invariantly FOL-definable. 

Proof. From left to right this is trivial. For the other direction we use lemma 3. 
If K is i?a;*st£-invariantly definable, there is a formula 3U6{R, U) with 9 £ C 
and a formula 4>{S, R G C such that 

21 e is: iff 21 h {3U9{R, U) A R)) 

and equivalently 

21 e is: iff 21 1= Vi? {3U0{R, U) i?)) 

By moving the quantification of U outside we obtain 

21 G is: iff 21 h 3i?3C7 (6»(i?, U) A i?)) 

and, similarly, 

21 G is: iff 21 1= Vi?VC7 (6»(i?, U) (fiS, R)) 

As U does not appear in cj> this shows that K is strictly invariantly T-definable. 

□ 

How does the computational power of circuit complexity classes change with 
changing restrictions on the complexity or definability of the advice sequences? 

Proposition 3. 

(i) P/NP C NP n CoNP; 

(ii) On unary languages (tally languages) the equality 

L/FOL = VjFOL = NP n CoNP 

holds, hence NP n CoNP C P/poly on unary languages. 

(Hi) PSpace/PSpace = PSpace, and hence, PSpace/P C PSpace. 

(iv) Therefore, if NP y? CoNP, then NP % P/NP 

Proof. For (i) we use theorem 8 and Fagin’s characterization of NP as the class 
of i? SOL- definable classes of structures, cf. [EF95]. 

To see (ii) we observe that tally languages can be viewed as classes K of S- 
structures with 5 = 0. We use again Fagin’s theorem. It K G NP fl CoNP, 
there are two formulas (fi G FOL{R{) and (j >2 G FOL{R. 2 ) such that 21 G iV 
iff 2t has an ??i-expansion satisfying (fi and 21 ^ iV iff 21 has an ?? 2 -expansion 
satisfying (j )2 Now let Kq be the class of .Ri U R 2 -structures which satisfy </>i V (/> 2 . 
It is now clear that (fi G FOL{Ri U R 2 ) defines K iVo-invariantly. 

To see (iii)a we use Savitch’s theorem which asserts that NPSpace = PSpace 
and theorem 8. Finally, (iv) is follows from (i). □ 
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5 Outlook and comparison with related work 

5.1 Non-uniform case 

The non-uniform classes have been characterized logically already before, using 
auxiliary numerical predicates, with a variation of it called also A jtai- definability 
in [Mak97]. Here the interpretation of the auxiliary predicates R depend only 
on the cardinality of the structure (hence the name numerical). The exact rela- 
tionship between ill-invariant definability and iH-Ajtai definability was studied 
in [Mak97]. Immerman characterized ACq in [Imm87] and Molzan states and 
proves in [Mol90, Theorem 3.3] the analogue of theorem 3 for definability with 
numerical relations (predicates) which are unary relations. Although our prove 
contains the same ingredients as his, our treatement has several, not only cos- 
metical, advantages: Our framework allows us 

(i) to treat also numerical relations with richer vocabularies, including linear 
order ORD\ 

(ii) to include Ajtai’s notion of definability as part of the general unified picture; 

(iii) to compare the various notions of invariant definability with other notions 
of definability, linking non-uniform circuit complexity with traditional defin- 
ability theory, as explained in section 3. 

Extensions of Molzan’s work may be found in [AB97], where C/log is character- 
ized for logarithmically bounded advice sequences. Although we were not aware 
of [Mol90] and [AB97] when proving our results, the technical content is very 
similar. Our results were first presented in August 1997 at ESSLLI’97, [Makj. 
From our proposition 3 we know that on 

unary languages (tally languages) 

NP n CoNP C L /poly C P /poly. 



Problem 1. What can we say about ~P / poly —J j / poly in general, and in particular 
on unary languages? 

For binary languages the situation is wide open. It is known, cf. [BS90], that 
P/poly — NP ^ 0, and that if NP C P /poly then the polynomial hierarchy 
collapses to the second level. 

Problem 2. Can we find a language or class of finite structures K with 

K € h/poly - NP n CoNP 



or could it be that 



NP n CoNP C P/poly7 



Invariant Definability and V j poly 155 



5.2 Uniform cases 

Uniform cases of circuit complexity classes have been studied extensively, start- 
ing with [GL84] and continuing with [BIS90,Lin92,BI94]. But in all these papers 
the uniformity required concerns the computability/definability of the circuits 
used to compute K. In our definition of C/D we look at classes K computable in 
C using advice sequences computable in D. This latter notion is a priori weaker, 
but, assuming that NP n CoNP — P contains a unary language, we have that 
P/P — P 7 ^ 0, cf. proposition 3. 

Our preference of implicit definabilty over definability with numerical predi- 
cates is more of a logical nature: The generalization of definability via numerical 
predicates to infinite structures leads to an artificial concept which is non-logical 
in its very nature. Choosing a unique well-ordering on a set of fixed cardinal- 
ity (e.g. the initial ordinal) such as to make it into a ’numerical’ predicate is 
a set theoretic, rather than a logical choice. In contrast to this the notion of 
invariant definability is a notion which is inherently logical. We often establish 
certain properties of mathematical objects using well-orderings invariantly, i.e. 
independtly of the particular choice of the well-ordering which we use in the 
proof. The logical character of invariant definability can also be seen in the fact, 
cf. prioposition 2, that on finite and infinite structures, strict invariant defin- 
ability for First Order Logic is provably the same as explicit definability for 
First Order Logic (and the same holds for any other logic which satisfies Craig’s 
Interpolation Theorem) . The difference between invariant and explicit definabil- 
ity (for FOL) becomes only apparent when we restrict our framework to finite 
structures. 



5.3 Oracles vs. advice 

In our comparisons we want to make a final remark on oracle complexity classes. 
We have seen that in general P/NP does not contain NP unless NP = CoNP. 
However, if we consider the class of languages p'’^^ (L'^'^) accepted by polyno- 
mial time (logarithmic space) Oracle Turing machines using oracles from NP 
(NL), the picture is as follows: 

P'^^ does contain NP and is closed under complements. Hence we have 

P/NP C NP n CoNP C NP U CoNP C 

On the other hand our analysis in proposition 3 shows that on unary languages 
we have 

LNL ^ p ^ l/NL. 

In other words NP oracles are stronger than NP advice, whereas, on unary 
languages, NL advice is stronger than NL oracles. 

Oracle complexity classes have been studied from a logical point of view by 
Gottlob, Gradel, Makowsky and Pnueli, Stewart, and more recently by Frick and 
Frick, Makowsky and Pnueli, [Got97,Gra90,Ste91,Ste92,Ste93b,Ste93a], 
[MP94,MP95] and [Fri97,FMP99] 
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5.4 Conclusions and further research 

For the cases of the complexity classes C G {L, NL, P, NP, PSpace} we have 
shown that the notion of invariant definability in a logic C fits exactly to capture 
a non-uniform complexity class C/poly whenever C captures C over ordered 
structures. We have also seen that Oi?£)-invariant definability in C suffices to 
capture C. 

It remains an intriguing question whether O RD-invaiiant definability can be 
replaced by some other class of fi-structures Kq, such that ii K € P then K is 
ifTo-invariantly definable in IFF. 

Eric Rosen has observed, cf. [Mak97], that if we require that Kq be fin- 
categorical and closed under substructures then either Kq contains only trivial 
structures or ORD is parametrically FOL-definable in Kq, there is a formula 
4>{x,y,z) G FOL(R) such that whenever 2t G Kq there are (ai,a 2 , . . .,afe) = d 
such that 4>{x, y, d) defines a linear order on 2t. 

We conjectured in [Mak97]: 

Conjecture 1. If Kq is a class of R-structures such that whenever iC G P then K 
is iCo-invariantly definable in IFF, then ORD is parametrically JEP-definable 
in Kq. 

Ajtai has succeded in showing that Parity is not in ACq using logico- 
combinatorial methods, [Ajt83]. In fact he showed that Parity is not invari- 
antly EOL-definable. The question is whether Ajtai’s methods can be extended 
to some other logics such as IFF? A positive answer would allow us to exhibit 
classes K of structures which were not in P /poly. If such a K were in NP we 
would get NP 2 P /poly. 

An obvious (but difficult) candidate for such a class is Ham, the class of 
finite undirected graphs with a Hamiltonian cycle. 

The following is known: 

(i) Ham is not invariantly EOT-definable. 

(ii) Ham is not definable in IFF without order. 

(iii) If Ham is POL-invariantly definable in IFF, then NP = CoNP. 

The first two statements can be seen by using non-relativizing EOL-reductions 
to Parity. The last statement follows from the Immerman-Sazanov-Vardi The- 
orem. 

Conjecture 2. Ham is not invariantly (not EOL-invariantly) definable in IFF. 
Note however, that Ham is Oi?H-invariantly definable in the finite variable logic 
^‘oo un remark in section 1. 

As the conjecture implies P NP, we admit, that we are very far from such 
an application, and we are not too optimistic, that a breakthrough could be 
achieved using Ham. But it might be possible, and very instructive, to show that 
for some explicitly given K ^ NP, K is not invariantly (not POT-invariantly) 
definable in IFF. 
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Abstract. We show that deciding the winner of the r-moves Ehren- 
feucht-Fraisse game on two finite structures A and B, over any fixed 
signature E that contains at least one binary and one ternary relation, 
is PSPACE complete. We consider two natural modifications of the EF 
game, the one-sided r-moves EF game, where the spoiler can choose 
from the first structure A only, and therefore the duplicator wins only if 
B satisfies all the existential formulas of rank at most r that A satisfies; 
and the fc-alternations r-moves EF game (for each fixed k), where the 
spoiler can choose from either structure, but he can switch structure at 
most k times, and therefore the duplicator wins iff A and B satisfy the 
same first order formulas of rank at most r and quantifier alternation at 
most k (defined in the paper). We show that deciding the winner in both 
the one-sided EF game and the fc-alternations EF game is also PSPACE 
complete. 



1 Introduction 

Two structures A and B are r-equivalent {A =r B) if they satisfy the same 
first order formulas of quantifier depth at most r; A and B are -equivalent 
{A B) if they satisfy the same Loolj (or even just first order, for finite 
structures) formulas with at most s variables (free or bound). Equivalently A 
and B are r-equivalent or L^^-equivalent if the duplicator wins the r-moves 
Ehrenfeucht-Fraisse game (EF game) or the s-pebbles pebble game on A and 
B, respectively, r-equivalence and -equivalence play an important role in 
logic and computer science, and in particular in descriptive complexity theory, 
which aims to characterize the queries in a given complexity class by means of 
a logic in which they can be described. To show that a class K of structures 
is not axiomatizable in first order logic (or in Loow )) in fact, it is sufficient to 
show that for every r (s) there are structures A ^ K and B ^ K, with A=^B 
{A B). See for example [1]. We are interested in determining the complexity 
of deciding whether two finite structures are r-equivalent, and we will call this 
the Ehrenfeucht-Fraisse problem (EF problem), or L^,^-equivalent, and we will 
call this the pebble problem. If the number r of moves is fixed then it is easy to 
see that the EF problem is in LOGSPACE. Martin Grohe [4] has shown that, if 
the number s of pebbles is fixed, the pebble problem is complete for PTIME. If 
r and s are part of the input, the exact complexity of both the EF problem and 
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the pebble problem was so far open. It is easy to see that the EF problem is in 
PSPACE, and that the pebble problem is in EXPTIME, bnt neither had been 
proved complete yet. In this paper we show that the EF problem is complete 
for PSPACE. We also consider two natnral modifications of the EF problem on 
two finite structures A and B: the one-sided EF problem, where the spoiler can 
choose from the first structure A only, and therefore the duplicator wins only if 
B satisfies all the existential formulas of rank at most r that A satisfies; and the 
^-alternations r-moves EF game (for each fixed k), where the spoiler can choose 
from either structure, but he can switch structure at most k times, and therefore 
the duplicator wins iff A and B satisfy the same first order formulas of rank at 
most r and quantifier alternation (defined below) at most k, and show that they 
are also PSPACE complete. One can view these EF problems and the pebble 
problem as an approximation to the structure isomorphism problem [6], whose 
complexity is very problematic; instead of asking whether two finite structures 
are isomorphic, that is whether they agree on all first order formulas, we change 
the class of formulas they have to agree on, and consider the complexity of the 
corresponding problem. 

In this paper we will provide only sketches of the proofs. Full proofs will 
appear elsewhere [2], [3]. 

2 Background 

We give here the definition of Ehrenfeucht-Frai'sse game, one sided Ehrenfeucht- 
Fraisse game, and ^-alternations Ehrenfeucht-Frai'sse game. 

Definition 1. Let (G, H) be a pair of structures over a given vocabulary, and 
7 , 9 strings of elements in G and H respectively ; the r-moves EF game (EF 
game) on (G, 7 , H, 0) is played by two players called the spoiler and the dupli- 
cator. Eaeh player has to make r moves in the course of the play. The players 
take turns. In the i*^ round the spoiler selects one of the structure G or H and 
an element from that strueture; the duplicator answers by choosing an element 
from the strueture not chosen by the spoiler. At the end of r rounds the dupli- 
eator wins iff ( 7 ,^ 1 ,...^^) (0,hi, . . .hf) is a partial isomorphism from G 

to H, where gi, ■ ■ ■ ,gr o,re the elements ehosen from G by either the spoiler or 
the duplicator in round 1, . . . , r and hi, . . .hr are the elements ehosen from H . 
Otherwise the spoiler wins. 

The connection with logic comes from the following: 

Definition 2. The quantifier rank (or simply rank^ of a first order formula (f> 
is the maximum number of nested quantifiers in it, defined by induction by: 

1 . qr{4>) = 0 if 4> is atomic. 

2. qr(-<(p) = qr((p). 

3. qr{4> V Ip) = qr{(p Aip) = max{gr((()), qr{ip)}. 

4 . qr{3xip) = qr{\/x(p) = 1 -f qr{<p). 
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Theorem 1. The duplicator wins the r-moves EF game on (G, 7 , H,9) iff ^ 
and 6 satisfy the same formulas of rank at most r, that is iff 

G h cfffrffffH 1= m 

for all (p of quantifier rank at most r. 

For a proof see [1]. 

We also want to consider the following game: 

Definition 3. Let G, H, ■y, 6 be as in Definition 1. The r-moves one-sided EF 
game on (G, 7 , H, 6 ) is played like the EF game, except that the spoiler can 
choose from structure G only. The winning condition is as in the EF game. 

The only difference between the one-sided EF game and the ordinary EF game 
is that in the one-sided EF game the spoiler is restricted to choose from the 
first inpnt strnctnre only. It is possible to give a logical charcterization of the 
one-sided EF game in the spirit of Theorem 1. 

Definition 4. Existential formulas are defined by the clauses: 

1. All quantifier free formulas are existential. 

2. If (p and ip are existential then (pV ip and (p Aip are existential. 

3. If (p is existential then 3xp is existential 

Theorem 2. The duplicator wins the n-moves one-sided EF game on 
(G, 7 , H, 9) iff 9 satisfies all the existential formulas of rank < n that 7 sat- 
isfies. 

Proof: the proof is similar to that of Theorem 1. 

A generalization of the one-sided EF game consists in allowing the spoiler to 
choose from either structure, but with a bound k on the number of times he al- 
ternates, that is chooses in one round from a different structure than the previous 
round. 

Definition 5. Let k be a natural number. Let G, H, 7 , 6 be as in Definition 1. 
The k alternations r-moves one-sided EF game on (G, 7 , H, 6) is played like the 
EF game, except that the spoiler is allowed at most k alternations. The winning 
condition is as in the EF game. 

Again it is possible to relate this game to logic. 

Definition 6. The external quantifier set and alternation number of a first or- 
der formula are defined by induction as follows: 

1. The external quantifier set of an atomic formula is empty; the alternation 
number is 0. 

2. The external quantifier set of a formula ^ = pb ip, where b = A or \/ is 
equal to Qrf,yjQ^j,; the alternation number is the maximum of the alternation 
numbers of p and p. 
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3. The external quantifier set of ~<(j) is obtained by replacing 3 with V and vice 
versa in the external quantifier set of (f; the alternation number is the same 
as that of (j). 

4- The external quantifier set of3x(j) is {3}; the alternation number is the 
same as that of </> if does not contain V, and it is one plus the alternation 
number of (j) otherwise. 

5. The external quantifier set of\/x<p is {V}; the alternation number is the 
same as that of <f> if does not contain 3, and it is one plus the alternation 
number of <p otherwise. 

Theorem 3. The duplicator wins the r-moves, k alternation EF game on 
(G, 7 , H, 0) iff 7 and 6 satisfy the same formulas of rank at most r and al- 
ternation number at most k. 

Proof: A proof is given in [2] 

Definition 7. Given a fixed signature E, we will call the EF problem (for E), 
the one sided EF problem (for E) and the k -alternations EF problem (for E) 
the following problems, respectively: given as input two finite structures A and B 
over E, and a number r, determine who wins the r-moves EF game, one-sided 
EF game, k -alternations EF game on A and B. 

3 Complexity of the EF problem 

It is easy to show that the EF problem is in PSPACE (for any signature E, 
actually even if E is part of the input); our goal here is to show hardness for 
PSPACE. We will use a reduction from the following game theoretic version of 
Quantified Boolean Formula (QBE). 

Definition 8. The Quantified Boolean Formula game is played by two players, 
I and II; on input a formula oftheformfi = 3x\ix2 • • . 3a:2r-iVa:2r(Gi A. . .ACn) 
the game continues for r rounds. In round i player I chooses a truth assignment 
for variable X 2 i-i and then player II chooses a truth value for X 2 i. At the end 
of the r rounds, player I wins iff the assignment that has been produced makes 
Gi A . . . A G„ true. 

We call the QBE problem the problem of deciding who wins the QBF game on 
a certain input formula. 

Theorem 4 ([7]). The QBF problem is PSPACE complete. 

Theorem 5. The EF problem (for finite structures over any fixed signature E 
that contains at least one binary and one ternary relation) is PSPACE complete. 

The plan of the proof is to show that the QBF problem reduces to the EF 
problem. Given any quantified boolean formula of the form 



<j) = 3x\iX2 . . . 3x2r-l^X2r(.C\ A ... A G„) 
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we will show how to construct structures A and B over B where 

B is a binary relation and H is a ternary relation, such that player I wins 
the QBF game on input 4> iff the spoiler wins the 2r + 1-moves EF game on 
(A,B). The main difficulty originates from the fact that in each round of the 
QBF game player I and II can assign a truth value to one given variable only, 
while the spoiler and the duplicator have much more freedom and the spoiler 
,in particular, in an y round of the EF game can choose any vertex he wants. 
The proof will proceed by first imposing additional constraints on the spoiler 
and the duplicator, for example requiring them in each round to choose from 
a certain subset of the vertices of A and B only, as explained below, so that 
the EF game with constraints will closely reflect the QBF game. Then it will be 
easy to show that player I wins QBF game on input 4> iff the spoiler wins the 
2r + 1-moves EF game with constraints on {A, B). To complete the proof it will 
be necessary to show that the first player that does not respect the constraints 
is going to lose the EF game. Both structures A and B consist of r blocks; 
the idea is that choosing some of the vertices in block i oi A or B hi a move 
of the EF game corresponds to assigning truth value T or F to variable Xi or 
to variable Xi+i of <j), (we will label such vertices by T{xi),F{xi),T{xi+i) or 
F{xi+i) or sometimes simply by T and E), choosing other vertices in block i 
will correspond to recording that a certain truth value has been assigned to Xi 
in a previous move, and to choosing a truth value for Xi+\, (we will label such 
elements by TF{xiXi+i),TT{xiXi+i ), . . .); then there are also vertices in block 
i that do not correspond to any truth assignment to the variables of (j) (we will 
denote any such vertex simply by v*). We then consider constraining the spoiler 
and the duplicator to play from block i in round i and i + 1, i odd, and in the 
following way: 



round i round f + 1 

s : T{xi) d : F{xi) A 

d : T F {xiXi+i) s ■. V* B 

This means that in round i the spoiler must first assign a truth value to variable 
Xi (by choosing an element T{xi) or F{xi) in block i of structure A), duplicator 
must record the spoiler’s assignment and assign a truth value to variable Xi+\ (by 
choosing an element TT{xiXi+\) or T F {xiXi+i) or FT{xiXi+i) or F F {xiXi+i) 
in block i of structure iJ); then the spoiler must play some vertex v*, in block 
i of structure B, which does not correspond to a truth assignment, and the 
duplicator must record the truth assignment to variable Xi+\ in structure A as 
well (by choosing some element T{xi+i) or F{xi+i) in block i oi A). At the end 
of the first 2r rounds played in this fashion, a truth assignment of the variables 
of (f) has been determined by the two players of the EF game. In the last move 
the spoiler will have a chance to win iff the assignment makes (j) true. The main 
difficulty is so as to ensure that the spoiler loses if he does not follow the rules. 

In the next section we will construct preliminary structures A^ and Bk over 
a signature containing a binary relation only, and prove some useful facts about 
them. Structures A and B will be obtained by introducing a ternary relation on 
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the vertices of and (after some minor modification). and consist of 
r blocks; the blocks are gadgets Ij (see Figure 3), introduced in the next section, 
which are in turn built out of other gadgets Jm and 

We will say that in the s-moves EF game on two structures, the spoiler forces 
a pair [y, y') if he can play y (or y') and the duplicator must answer with y' (or 
y) not to lose the game. 



3.1 The structures Ak and Bk 

We first need to introduce gadgets Jk and Lk shown in Fig. 1. They are somehow 
similar to gadgets used in [5] and [4] . An edge between a vertex v and the symbol 
A: or A: — 1 means that v has k or k — 1 additional neighbours, not shown in 
the figure. They will be called special neighbours. Special neighbours of distinct 
vertices are all distinct. Vertices with special neighbours will be called vertices in 
the middle. Then gadget Ik is built using gadgets Jk and Lk as follows (see Fig. 
2): Ik has vertices x, x' , y,y'', x and x' have each 16 neighbours; again we will call 
them vertices in the middle, the vertices in the middle have A: or A: — 1 additional 
neighbours (besides x or x')] again they will be called special neighbours; in 
addition each vertex v in the middle is glued to a separate copy of a gadget Jk-i 
or Lk-i, disjoint from all others, so that v coincides with 2 ; and y with t and y' 
with t' as follows: 

1. Eight of the vertices in the middle connected with x have k special neigh- 
bours; four of them are glued to an Lk-i gadget, and four to an Jk-i. 

2. Eight of the vertices in the middle connected with x have A: — 1 special 
neighbours; four are glued to a Lk-i gadget, and four to a Jk-i gadget. 

3. Four of the vertices in the middle connected with x' have k special neigh- 
bours, and they are glued to a Lk-i gadget. 

4. The remaining 12 vertices in the middle connected with x' have A: — 1 special 
neighbours; four of them are glued to a Lk-i gadget, and eight to a Jk-i 
gadget. 





Fig. 1. The gadgets Jk and Lk 
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X X' 




Fig. 2. The gadget Ik 



We will denote a vertex in the middle of gadget I J and L by giving its 
neighbours, or the gadget it is glued to; so, for example, if is a vertex in the 
middle of gadget Ik, v = kxJ means that v is any of the 4 vertices with k special 
neighbours and glued to an Jk-i gadget; (fc — l)vy stands for a vertex in the 
middle of gadget J, having k — 1 special neighbours and connected to v and y. 
We need the following lemma: 

Lemma 1. In the k + 1-moves EF game on {Ik, x, Ik, x'), the spoiler can force 
the pair {y,y'), but the duplicator has a strategy to win the k- moves EF game 
that allows him to answer y with y and y' with y' . 

Proof: (sketch) In the k + 1-moves game the spoiler can start by playing v = kxJ 
and the duplicator must answer with w = kx'L, then the spoiler can select 
w{k — l)y' in gadget Lk-i and the duplicator must answer v{k — l)y in gadget 
Jk-i- With only k moves the duplicator can follow a partial isomorphism that 
maps X to x' , y to y and y' to y' . The only problem maybe if the spoiler plays 
all k special neighbours of, say, some kxJ] but then the duplicator can play all 
k — 1 neighbours of (fc — l)x'J and any additional vertex not connected to x' . 

Definition 9. Let k be even and let Ak consist of k/2 copies of I gadgets, 
Ik, Ik- 2 , Ik- 4 , ■■■, I 2 with the y (y' ) vertex of the i^^ gadget coinciding with 
the X (x' ) vertex of the {i + 1)*^ gadget, plus an additional vertex connected to 
the X vertex of the first gadget Ik, as shown in figure 3, and Bk be the same as 
Ak except that it has an additional vertex connected to x'l and not xi. 

We will say that gadget Ik- 2 {i-i) is the block of Ak or Bk- Now we want to 
consider the k + 1-moves EF game on Ak and Bk , and show that the spoiler can 
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force the pair only if he follows a precise strategy of first choosing 

certain elements in block 1, then certain elements in block 2, and so on. Once we 
have constructed structures A and B form A and B this strategy will correspond 
to assigning truth value to the variables of (f>, and so on as explained at the end 
of Section 2. 




Fig. 4. The first two lawful moves 



Definition 10. Consider the k + 1-moves EF game on A^ and B^; we will say 
that the players play lawfully if in round i, i < k + 1 and i odd, the spoiler 
chooses a vertex v in the i*^ block, v = {k — 2{i — l))xiJ (or a special neighbour 
of v) from the middle of gadget Ik- 2 {i-i) o,nd the duplicator answers with some 
w = {k — 2(i — l))x^L (or a special neighbour ofw). In the next round the spoiler 
plays lawfully if he chooses vertex [k — 2[i — l) — l)wx[j^-^ (or a special neighbour) 
or vertex (k — 2[i — 1) — 2)wxi+i in gadget L (or a special neighbour), and the 
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duplicator plays lawfully if he plays vertex [k — 2{i — 1) — (if the spoiler 

has played (k — 2(i — l) — or a special neighbour if the spoiler has played 

a special neighbour of {k — 2{i — 1) — l)wx[j^-^) or vertex {k — 2{i — 1) — 2)vx[j^^ 
(if the spolier has played [k — 2{i — 1) — 2)wxi+i or a special neighbour if the 
spoiler has played a special neighbour of {k — 2(i — 1) — 2)wXi+\) in gadget J ; 
(See Fig where the spoiler’s moves are marked s, the duplicator ’s d.) In the 
last round the spoiler plays lawfully if he chooses Xk+i orx'^j^i, from either A or 
B, and the duplicator if he plays x'j._^^ (if the spoiler has played Xk+i) or Xk+i 
(if the spoiler has played x'^._^-^) from B or A. 

Theorem 6. In the the k + 1-moves EF game on A^ and B^ we have that if 
the spoiler plays lawfully, he can force a pair (xk+i,x'j._^-fj; but if he does not 
play lawfully the duplicator has a strategy to win the game and answer Xk+i with 
Xk+i and with 

Proof (sketch): let move j be the first unlawful move of the spoiler. Then for the 
rest of the game the duplicator can play according to the partial isomorphism 
that maps Xj to xb and xi to xi, x[ to x[ for I > j. 



3.2 The Main Theorem 

We are now ready to describe the structures A and B. Recall that our goal is to 
show that player I wins the QBF game on input 

(j) = 3a;iVa:2 ■ ■ ■ 3a:2r-iVa:2r(C'i A ... A C„). 

iff the spoiler wins the 2r + 1-moves EF game on {A, B). 

A and B are obtained by introducing a ternary relation H on the vertices 
of structures A^ and Bk (after minor modifications), with k = 2r. In order to 
motivate the definition of H, consider the k + 1-moves EF game on Ak and Bk- 
For simplicity , consider a lawful strategy defined as in Definition 10, except that 
the players must play vertices in the middle, and not special neighbours. If the 
players play according to such a lawful strategy a run of the game may look like: 

s : T{xx) d : F{x 2 ) ... s : F{x 2 r-i) d : F{x 2 r) d : 

d : TF{x\X2) s ■. V* ... d : FF{x2r-iX2r) s : v* s : Xk+i 

That is, the spoiler has first chosen an element in the middle of gadget Ik labelled 
T, the duplicator has answered with an element labelled TF , then the spoiler 
has chosen an element with no label, and so on. The first k (lawful) rounds 
determine a truth assignment for the variables of 4>. Of course the duplicator 
wins the game on Ak and Bk , while we want the duplicator to win a run of the 
game iff the truth assignment determined by the first k rounds of the run does 
not make (f> true. We will achieve this by taking advantage of the fact that in 
the last move the spoiler can force a pair {xk+i, a^fe+i)- We first replace Xk+i and 
x'k+i with two sets and each having A: + 1 new vertices labelled Ci, 

k + 1 new vertices labelled C' 2 ,...,fc + 1 new vertices labelled C„, where Ci,...,Cn 
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are the clauses of 4> (again, no unary relation corresponding to these labels are 
present in the signature). 14,^^^ has also an additional new vertex w*, with no 
label. There are no edges between vertices in the same set 14^^^ or , and 
there is an edge between any vertex v € 14^+1 and any vertex w that 

was connected to Xk+i in or B^. So we have: 

- = {w*, Cl, . . . , Cl, . . . , . . . , C„}. 

- ={Ci,...,Ci,...,C„,...,C„}. 

Definition 11. Let Ck and Dk be the struetures obtained by replacing Xk+i and 
with the sets 14^^^ and 14 '^^^ , as described above. 

On Cfe and Dk a lawful run of the k + 1-moves EF game may look like: 

s : T{xi) d : F{x 2 ) ... s : F{x 2 r-i) d : F{x 2 r) d : Cj 

d:TF{xiX2) s : V* ... d : FF{x2r-iX2r) s : v* s:w* 

In the last round the spoiler has played an unlabelled element w* from set 14^+1 
and the duplicator has responded with an element of 14 ^^^ ) that is has exhibited 
a clause Cj of (f>. The duplicator must lose the run if Cj is not falsified by the 
assignment. To ensure this, we add a ternary relation FI; no triple (=i=, =i=, w=i=) is 
in FI, but for example we will have Fl(T{xi), F{x 2 ),Cj) iff assigning T to x\ 
and F to X 2 in (/> makes clause Cj true. For the sake of exposition in introducing 
ternary relation FI we will first label explicitly some of the vertices in Ak and Bk 
with the labels T,F,TT,TF,FT,FF; this is just to facilitate the exposition and 
introduce ternary relation F[ below; no unary relations are part of the signature 
S. First we label the vertices in the middle of gadget li and gadgets Ji-\ and 
Li-i for each i = k, k — 2, ... ,2. 

1. Of the four vertices ixJ, two are labelled T and the other two F; of the four 
vertices {i — l)xJ, ixL, {i — l)xL,oi ix' J,(i — l)x' J, {i — l)x'L, one is labelled 
TT, one TF, one FF, one FT. 

2. Of the four verices in the middle of any gadget Ji-i with i — 1 special 
neighbours, or i — 2 special neighbours, two are labelled T and two F ; 

3. In gadget Ti_i the two vertices {i — l)zt' and the two vertices {i — 2)zt are 
not labelled; of the two remaining verices {i — l)zt and the two {i — 2)zt' , 
one is labelled T and the other F. 

We will say that two vertices v and w are consecutive in block i iff is a vertex 
in the middle of gadget Ik- 2 {i-i) and w is a vertex in the middle of the L or J 
gadget glued to v. 

Definition 12. Relation F[ is defined as follows on the vertices of Ck and Dk: 

— Fl(u,v,Cj) iff u is labelled a (a =T or F ) v is labelled b, u and v are 
consecutive in block i, and assigning Xi to a and Xi+i to b makes clause 
Cj true in (j). 

— Fl{w,v*, Cj) w is labelled ab (a, b = T or F), w and v* are consecutive in 
block i and assigning Xi to a and Xi+i to b makes clause Cj true in (f. 
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— H(z, V, Cj) z is labelled ac, v is labelled b, z and v are eonsecutive in block i 
and assigning Xi to a and Xi+i to b makes clause Cj true in </>. 

Definition 13. Structures A and B are obtained from Ck and by introducing 
ternary relation H . 

Now the proof of Theorem 5 that is the proof that the spoiler wins the k + 1- 
moves EF game on A and B iff player I wins the QBE game on (p proceeds as 
follows; we have to consider three cases: 

— The spoiler plays lawfully: he wins the game iff <p is true. 

— The spoiler does not play lawfully, but he can still force pair (xk+i, in 

the last move; the spoiler has not gained anything by not playing lawfully, 
he could have played lawfully. 

— The spoiler does not play lawfully and cannot force pair (xk+i,x'f.j^-^. In this 
case the duplicator can follow a winning strategy for the game on A^ and 
Bk as in Theorem 6. The only thing we need to check is that the relation H 
does not cause any problem. 

Question: Can we eliminate relation H and show that the EF problem is complete 
if played on structures over a signature containing a binary relation only? 

4 The one-sided and the fc— alternations EF games 

We show here that the one-sided EF game and the fc-alternations EF game are 
also PSPACE complete. 

Theorem 7. The one-sided EF game is PSPACE complete. 

Proof (sketch): We just show hardness. We reduce the r-moves EF game on 
structures A and B over some signature E to the r + u-moves one-sided EF 
game on structures C and D, on a signature S' = E VJ {R,B} where R and B 
are new unary relations, and n= | El | + 1 Vb | . (here El , Vb are the sets of vertices 
of structures A and B) Order the elements of El U Eb, so that El = {1, • • • , w} 
and Eb = {m + 1, . . . , m + A:} for some m and fc,then: 

— For any x G Va U Vb there is an element x in Vc with x additional new 
neighbours colored R and n additional new neighbours colored B. Vc also 
contains many elements with x new neighbours colored R and u — 1 neigh- 
bours colored B. All relations except for R and B are empty in C. 

— For any element {x,y) G Va x Vb U Vb x Va there is a vertex {x, y) in 
Eb with X new neighbours colored R and n new neighbours colored B. Vb 
also contains many elements with x new neighbours colored R and n — 1 
neighbours colored B. We have E{a,b){c,d) iff Exy in A but not Ezt in R, 
or vice versa; where x is the cohordinate a or 6 of the pair (a, b) that belongs 
to A, and y is the one that belongs to B. Similarly for all other relations 
in E. 

Theorem 8. The one-sided EF game reduces to the k alternations EF game , 
for any k > 0. 

A proof is given in [2]. 
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Abstract. We consider upper bounds for minimal resolution refutations 
of propositional formulas in CNF . We show that minimal refutations of 
minimal unsatisfiable formulas over n variables and n + fc clauses consist 
of at most applications of the resolution rule. 

Keywords: propositional formulas, length of proofs, minimal unsatis- 
fiability, resolution 



1 Introduction 

A resolution refutation or a proof of an unsatisfiable formula is a sequence of 
applications of the resolution rule generating the empty clause. The number of 
resolution steps is the length of the proof and a minimal refutation is a proof with 
minimal length. Instead of counting the number of applications of the resolution 
rule often the size of the refutation is considered, where the size is the number 
of generated clauses. With respect to minimal refutations both measures do not 
differ. 

Here, we restrict ourselves to minimal unsatisfiable formulas. A formula in 
conjunctive normal form (CNF) is called minimal unsatisfiable if, and only if the 
formula is unsatisfiable and removing an arbitrary clause leads to a satisfiable 
formula. Most of the hard examples for the resolution presented in the literature 
are minimal unsatisfiable. 

In [6] it is shown that so called pigeonhole formulas, formulas over n(n + 1) 
variables and 0{n^) clauses, have a minimal proof size of c" for some c > 1 and 
based on Haken’s proof method other hard examples have been invented, see for 
example [7]. In connection with average case analysis interesting lower bounds 
habe been established (for example [3], [2]), but besides the obvious upper bound 
2^" for refutations of formulas over n variables only few results with respect to 
upper bounds are known [5]. 

Our upper bound for minimal resolution refutations has two para- 

meters. One of them is the number of variables, n, and the other one is the 
difference between the number of clauses and the number of variables, k. For 
fixed k there exist unsatisfiable formulas with minimal proofs exponential in the 



G. Gottlob, E. Grandjean, K. Seyr (Eds.): CSL’98, LNCS 1584, pp. 171-178, 1999. 
© Springer- Verlag Berlin Heidelberg 1999 



172 



Hans Kleine Biining 



number of variables, but these formulas are not minimal unsatisfiable. Take for 
example a result shown in [3] , that there is some e > 0 and that there are unsat- 
isfiable formulas over n variables with about 5.6 clauses for which a resolution 
refutation requires at least (1 -I- e)" steps. In order to prove that there are un- 
satisfiable formulas with n+1 clauses and exponential minimal proofs, we have 
to add only some satisfiable clauses over new variables to the formula, such that 
the generated formula has m -|- 1 clauses and m variables for some appropriate 
m > n. 

For minimal unsatisfiable formulas the difference between the number of 
clauses and the number of variables is always positive, because there exists no 
minimal unsatisfiable formulas over n variables with less or equal than n clauses. 
A proof can be found in [1] or one can make use of Hall’s Theorem. 

We present a resolution procedure which requires not more than 
resolution steps where k is the difference between the number of clauses and 
the number of variables, n. The procedure makes use of a so called splitting 
theorem. The theorem says that, if each literal occurs at least twice in a minimal 
unsatisfiable formula, the formula can be splitted into two minimal unsatishable 
formulas where the difference between the number of clauses and the number of 
variables is less than k. An iterative application of this splitting leads to tree. 
The size of the tree is bounded depending on k and the tree itself can be used 
to generate a resolution refutation. 

Our upper bound is only of interest for minimal unsatisfiable formulas 

with less than 2>n clauses, because 2^" is the trivial upper bound for resolution 
refutions of formulas over n variables. As an immediate consequence of our re- 
sult we see e.g. that for relatively few clauses, say n + logu clauses, resolution 
refutations of length not greater than exists. For minimal unsatisfiable for- 
mulas with 1.5n clauses we obtain that the size of a minimal proof is bound by 

2 Notation 



A literal is a propositional variable or a negated propositional variable. var{F) 
is the set of variables of a formula F and =ff^var{F) is the number of variables. 
Clauses are sets of literals without multiple occurrences of literals. U denotes the 
empty clause. ^cl{F) is the number of clauses for a formula F in CNF. Since 
formulas with multiple occurrences of clauses are not minimal unsatisfiable, we 
consider formulas in CNF not as set of clauses but as multi-set of clauses. Often 
a formula F = fi A ■■■ A fm will be written as F = [/i, • • • , fm]- Note that the 
order in which the clauses occur does not play any role. 

MU is the set of minimal unsatisfiable formulas in CNF, and for a fixed fc > 1 
MU{k) is the set of minimal unsatisfiable formulas over n variables with n + k 
clauses. 
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3 Upper Bound 

The proof of the upper bound for minimal resolution refutations of mini- 

mal unsatisfiable formulas is based on an induction on k, where k is the difference 
between the number of clauses and the number of variables. 

At first we give an short outline of the proof. Minimal unsatisfiable formulas 
over n variables with n -|- 1 clauses can be refuted in n resolution steps. That 
follows from the fact that in a minimal unsatisfiable formula over n variables 
and n -|- 1 clauses a variable occurs exactly once positively and exactly once 
negatively (see [4]). After resolving the clause with x and the clause with ~^x, we 
obtain a minimal unsatisfiable formula over n — 1 variables and n clauses, where 
the parent clauses has been removed and the resolvent be added. 

For fc > 1 in a first step we resolve upon all literals occurring exactly once. 
Then we split the formula into two unsatisfiable formulas by setting an arbi- 
trarily given variable to true resp. false. The generated formulas must contain 
minimal unsatisfiable subformulas, for which we can show that now the differ- 
ence between the number of clauses and the number of variables is less than k. 
By the induction hypothesis the desired upper bound holds for these minimal 
unsatisfiable formulas. Finally, we combine the resolution proofs and obtain the 
upper bound. 

Let A: > 1 be given. If a literal L occurs exactly once in a formula F G MU (fc), 
then we can resolve the clause in which L occurs with all clauses containing the 
literal ->L preserving the minimal unsatisfiability. After adding the resolvents 
and removing the parent clauses the resulting formula is again in MU{k), but 
now with n — 1 variables and n — 1 + k clauses. 

This resolution procedure resolving upon literals occurring exactly once is 
called (1, *)-resolution procedure and can be described formally as 
(1, *)— resolution procedure: 

while F contains a literal L exactly once and -iL is a literal in F do 
{F = [{L V /), (-iL V gi), • • • , (-iL V gr), Uest], resolve F on L} 

F '■= [(/Vgi),---,(/Vgr),Uest]; 

end(while); 

return(F) 

For fc > 1 performing these resolution steps as long as such single literals exists 
cannot lead to the empty clause, because otherwise in the final step a formula 
X A ^x G MU{1) would occur. That would be a contradiction to the fact, that 
the (1, !i=)-resolution procedure preserves the difference between the number of 
clauses and the number of variables. Thus, the (1, *)-resolution procedure re- 
solves on not more than q < n — 1 variables and the maximal number of reso- 
lution steps is bounded from above by X)i<i<q(^ + k — i). We summerize these 
observations in the following Lemma. 

Lemma 1. For k > 1 let F he a formula in MU{k): 

The (1, *) -resolution procedure returns a formula in MU{k). The procedure re- 
solves on at most q<n — l variables and performes at most Xli<i<q(”' + k — i) 
resolution steps. 
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Now let us recall some results about minimal unsatisfiable formulas with 
n + 1 clauses. In [1] it is shown that every minimal unsatisfiable formula over 
n variables consists of at least n + 1 clauses. For our proof of the upper bound 
we need the fact that for formulas in MU{1) a resolution refutation requires 
not more than n steps where n is the number of variables. This property is an 
immediate consequence of the first statement of the following theorem. 

Theorem 1. [4] 

1. If F G MU{1) then there exists a variable occuring exactly once positively and 
once negatively in F . 

2. For formulas in MU{1) over n variables there exists a resolution refutation 
with exactly n resolution steps. 

Later on we make use of a technical Lemma for which we need the following 
definition. 

Definition 1. Let F be a formula in CNF and X a non-empty subset ofvar(F). 
Then F{X) is the result of removing all clauses not containing a variable in X 
and deleting in the remaining clauses all variables not in X. Note that multiple 
occurrences of clauses will not be deleted. 



Lemma 2. Suppose F £ MU{k) for some k >2 and each literal occurs at least 
twice in F. Then for all non-empty X C var{F) : ffcl{F[X)) >| X \ +2 

Proof. Induction on the number of variables m in X. 

Since F £ MU the formula F{X) must be unsatisfiable. If m = 1 then F{X) 
contains two clauses x and and two clauses -<x, because each literal occurs at 
least twice in F. Note that we consider F and also F{X) as multi-sets of clauses. 
Thus, we have ffcl{F{X)) >1 + 2. 

For m > 1 let X = {xi, ■ ■ ■jXm} be the set of variables. Then there is some 
minimal unsatisfiable formula G with G C F{X). 

If var{G) = {xi, • • • , Xm} then ffcl{G) > m + 1 (see [1]). Further, if G £ MU{1) 
then in G a variable occurs exactly once positively and once negatively. Since 
each literal occurs at least twice in F and no tautological clause is in F, F{X) 
contains at least two clauses more than G. Hence, we obtain, that F{X) consists 
of at least m + 1 + 2 clauses. If G £ MU{t) for some t > 1, then G consists of 
m + t > m + 2 clauses. 

If var{G) = {xi, • • • , a^s} for some s <m then ffcl{F{X)) > ffcl{G)+ 
ffcl{F{X — {x\, • • • , a^s}))- Since G is minimal unsatisfiable, the formula G con- 
sists of at least s + 1 clauses (see [1]). By the induction hypothesis we get 
ffcl{F{X — {a:i, • • • , a;s})) > m — s + 2. Altogether we have ffcl{F{X)) > 
s + l+ m — s + 2>m + 2. 

We split a minimal unsatisfiable formula in MU{k) into two minimal un- 
satisfiable formulas. For a variable x we remove the clauses with literal -ix (set 
~^x = 1) resp. X (set x = 1). In the remaining clauses we delete the occurrences 
of the literal x resp. ->x. The formulas are unsatisfiable and contain therefore 
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some minimal unsatisfiable subformulas, say € MU{kx) and G MU{k^x) 
for some kx and k^x- Now we interested in the size of kx and k^x with respect 
to k. For arbitrary formulas in MU{k) such a splitting may lead to a minimal 
unsatisfiable formula Fx with kx = k. Take for example the formula 
F = [-la; V -<a,a,y V z,->y V z,y V ~<z,x V -ly V ~^z] G MU{2). A splitting 
on X leads to minimal unsatisfiable formulas F^x = ~^a A a € MU{1) and 
Fx = [y V z, -ly V z, y V ~^z, ~^y V ~^z\ € MU (2). That means kx = k = 2, and 
k^x — 1 - 

But as we will see for fc > 1 and after the application of the (1, =i=)-resolution 
procedure kx as well as k^x must be less than k. 

For example the (1, =i=)-resolution applied with the formula F generates the 
formula F* = [y V z, -ly V z, y V -iz, -ly V -iz] G MU (2). Now a splitting on the 
variable y leads to minimal unsatisfiable formulas F* = z A ^z € MU(1) and 
F*y = zA^z€MU{l). 

Theorem 2 ((Splitting)). Suppose F G MU{k) for some k > 2 and each 
literal occurs at least twice in F. Furthermore, we suppose 

F = [{xW fi), • • • , ixW fs), Bx, C,B^x, i^xWgi), • • • , {^xW gt)], where Bx, C, B^x 
are some conjunctions of clauses without occurrences of x and ~^x, such that 
Fx := [fi,---,fs,Bx,C] G MU{kx) , F^x := [gi, ■ ■ ■ , gt, B^x,C] G MU{k^x) 
for some kx and k^x- 
Then we have kx, k^x < k. 

Proof. Suppose F’ is a formula over n variables. We define Vx '■= ffvar(Fx) and 
v^x ■= ffvar(F^x)- That means Fx resp. F^x consists of Vx + kx resp. v^x + k^x 
clauses. 

Since the variable x occurs at least twice positively and at least twice nega- 
tively in F , we get s,t > 2 and therefore Vx + kx < n + k — 2 and v^x + k^x Si 
n + k — 2. That implies for Vx = n — 1 resp. v^x = n — 1 the inequality kx < k — 1 
resp. k^x < k — 1. 

Now we proceed by a case distinction: 

Case 1: Vx = n — 1 and v^x < n — 1. 

Then we know kx Si k — 1. Note that var(F^x) Q var(Fx) = var{F) — {x}. For 
{ai, • • • , o;} = var(Fx) — var(F^x) we have n = v^x + 1 + 1. 

Since #c/(F’({ai, • • • , a;}) = #cl{[fi, ■ ■ ■ , fs, Bx]{{ai, ■ ■ ■ , ai})), by Lemma 4 we 
get #c/([/i, ■■■,fs, Bx\({ai, • • • , o;})) > 1+2 and therefore #c/([/i, •••,/«, Bx\) > 
1 + 2. Hence we obtain v^x + k^x + l + 2<n + k. 

Assuming k^x > k leads to v^x + k^x + I + 2 < n + k^x and therefore to 
v^x + I + 2 < n in contradiction to v^x + I + 1 = n. Thus we have k^x < k. 

Case 2: Vx < n — 1 and v^x = n — 1 analogue to case 1. 

Case 3: Vx, v^x <n — 1. 

For {ai, ■ ■ ■ , ai} = var{Fx) —var{F^x) and {bi, ■ ■ ■ , br} = var(F^x) —var{Fx) we 
have l,r >1. Otherwise var{Fx) resp. var(F^x) would be a subset of var(F^x) 
resp. var(Fx). That would imply ffvar(F^x) = n — 1 resp. ffvar(Fx) = n — 1 in 
contradiction to our case assumption. Further, Oj and bj do not occur in C. 
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By means of Lemma 4 we obtain 

#c/([/i, • ■ ■ , fs,B^]{{ai, ■ • - ,a;})) = #cl{F{{ai, ■ • - ,a;})) >1 + 2 and 
#cl{[gi, ■ ■ ■ , gt, B^^] {{bi, ■ • - ,&r})) = #c/(F({6i, • • - ,&r})) >r + 2, and therefore 
v^x + k^x + l + 2<n + k and Vx + kx + r + 2 < n + k. 

The inequalities imply kx, k^x < k, because of + r + 1 = n and v^x + ^ + l = n. 



Now we are able to prove our desired upper bound for minimal resolution 
refutations of minimal unsatisfiable formulas. 

Theorem 3. Let F be a minimal unsatisfiable formula over n variables with 
n + k clauses. Then a minimal resolution refutation of F requires not more than 
2 fe-ij ^2 j.^gQiuiiQji steps. 

Proof. (Induction on k) 

For k = 1 the upper bound is n, because of Theorem 2. 

For fc > 1 and a formula F € MU{k) we first apply the (1, =i=)-resolution 
procedure to F . Suppose the (1, =i=)-resolution procedure resolves on q variables. 
Please, note that q must be less than n. Then an upper bound for the number 
of these resolution steps is X)i<i<q(^ + k — i) and the generated formula is in 
MU{k), see Lemma 1. 

Say F^ is the formula we obtain after applying the (1, =i=)-resolution procedure 
to F. Then in F^ each literal occurs at least twice. Due to Theorem 5 we split 
the formula F^ over a variable x into two minimal unsatisfiable formulas Fx G 
MU{kx) and F^x G MU{k^x) for some kx and k^x- Then it holds kx, k^x < k. 
Further, the formulas Fx and F^x contain at most n — q — 1 variables. W.l.o.g. 
we suppose that kx = k^x = k — 1 and both formulas have the maximal number 
of variables n — q — 1. 

By the induction hypothesis we obtain for the minimal resolution refutation 
of Fx and F^x the upper bound 2^~‘^{n — q — 1)^. Now we add to each clause in 
Fx resp. F^x the removed variable x resp. ~^x. Say Ff and Fl^f are the resulting 
formulas. Then x and ^x can be derived in 2 • 2^“^(n — q — 1)^ resolution steps. 
Finally, in one step we obtain the empty clause. 

Since Ff and Fl^f are subformulas of F^ we obtain as an upper bound for a 
minimal resolution refutation for F : 

Y, (n + k-i) + l + 2'=-i(n -q-lf < 2'=- V (1) 

l<i<q 

The last inequality can be shown by an induction on k. Please, note that 
k > 2,n > 1, and 0 < q < n — 1. 

For k = 2 we start with the inequality 

0 < + 3g + 2 (2) 

Then we add llq + 2>q^ + 6 to the inequality 



llq + 3g^ + 6 < + 6g + 8g + 8 



( 3 ) 
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llq + 3q^ + 6< {q+l){6q + 8) 


(4) 


Since q < n we obtain 


llq + 3(f + 6 < n{Qq + 8) 


(5) 




llg/2 + 3g^/2 + 3 < 3nq + An 


(6) 


The inequality is equivalent to 




nq + 6q 


— q/2 + 2q^ — q‘^/2 + 3 — Anq — An <0 


(7) 


Then we obtain 






(»^+2- 


A~ Aq -[- 2q -h 2 — Anq — An -\~ 2n ~h 1 ^ 2n 


(8) 






and finally 

{n + 2-i) + 2{n-q-lf + l <2ri^ (9) 

l<i<q 

For k + 1 we start with the following inequality (please, note that q < n). 

q< '^{n + k-i) + l (10) 

l<i<q 

Now we add X)i<i<q(^ + k — i) + 1 + 2^{n — q — and obtain 

{n+k—i)+q+l+2’‘{n—q — l)‘^ < 2 (n+fc— i) + 2+2^ (n— g — 1)^ (11) 

Using (11) and the induction hypothesis (IH) we obtain our desired 
result for k + 1. 



{n + k + l-i) + l + 2^{n - q-Vf = 


(12) 


l<i<q 




^ ^ in A~ k — 2^{n — q — 1)^ — (ii) 


(13) 


l<i<q 




2 (n + k — i) +2 + 2^{n — q—lf = 


(14) 



l<i<q 



2-[X! {n + k-i) + l + 2'=-i(n -q- if] <ih 2(2'=" V) < 2'=n^ 

l<i<q 



( 15 ) 
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4 Conclusion and Future Work 

The upper bound is not sharp, because for example for k = 1 minimal 

resolution refutations require exactly n resolution steps. Maybe a more careful 
analysis of the number of (1, *)-resolutions and the number of variables occurring 
in the splitting leads to a better bound. Otherwise as far as we know no minimal 
unsatisfiable formulas with minimal proof length of at least 2^~^n and relatively 
few clauses, say for example for fixed k or for n + t ■ logn clauses are known. 

In order to solve these problems and (more generally) in order to prove 
complexity of different calculi, we must reference more information about the 
structure of minimal unsatisfiable formulas. We expect an investigation of the 
particular structure of minimal unsatisfiable formulas with a fixed difference 
between the number of clauses and the number of variables and a better char- 
acterization of minimal unsatisfiable formulas to be the key to more accurate 
results. Note that the structure of formulas in MU(1) and MU(2) is well-known, 
e.g. formulas in MU(2) in which each each literal occurs at least twice are of 
the form (a;i V • • • V Xn), V ^ 2 ), • • • , (~'Xn V a;i), (-la;! V • • • V -iXn)- Obviously 
these formulas can be refuted by means of the resolution operation in 2n steps. 
Similar results would be desirable for arbitrary MU (k) . 
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Abstract. J. Krajicek and P. Pudlak proved that an almost optimal 
deterministic algorithm for TAUT exists if and only if there exists a p- 
optimal proof system for TAUT. In this paper we prove that an almost 
optimal deterministic algorithm for SAT exists if and only if there exists 
a p-optimal proof system for SAT. Combining Krajicek and Pudlak’s 
result with our result we show that an optimal deterministic algorithm 
for SAT exists if and only if both p-optimal proof systems for TAUT 
and for SAT exist. 



1 Introduction 

A deterministic algorithm recognizing SAT is optimal if no other algorithm 
recognizing SAT has more than a polynomial speed-up over its running time (see 
[5]). Two versions of optimality appear in Computational Complexity: Levin’s 
optimality and Krajicek - Pudlak’s optimality. In this paper we are mainly 
concerned with an optimal algorithm possessing Krajicek - Pudlak’s optimal- 
ity property. If the optimality property is stated only for any input string x 
which belongs to SAT and nothing is claimed for other a:’s, we name such an 
algorithm as an almost optimal deterministic algorithm for SAT. 

A proof system for a language L is a polynomial time computable function 
whose range is L. This notion was defined by S. Cook and R. Reckhow in [3]. In 
order to compare the efficiency of different proof systems, they considered the 
notion of p-simulation. Intuitively a proof system h p-simulates a second one g 
if there is a polynomial time computable function t translating proofs in g into 
proofs in h. A proof system is called p-optimal for L when it p-simulates any 
proof system for L. The question whether a p-optimal proof system for TAUT 
(the set of tautologies in Propositional Logic) exists, posed by J. Krajicek and 
P. Pudlak, is an important one in the field (see [5], [7], [4]). 

The problem of the existence of an optimal deterministic algorithm for SAT 
has been considered as early as the beginning of the NP-era. In [6] L. Levin 
observed that there exists an almost optimal deterministic algorithm for the 
functional version of SAT (see [8]). Using Levin’s construction we can also build 
an almost optimal deterministic algorithm for the decision version of SAT with 
the optimality property named by us as Levin’s optimality (see [9]). 
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Nearly two decades later J. Krajicek and P. Pudlak considered the notion 
of an almost optimal deterministic algorithm for TAUT (see [5]). Their concept 
of optimality differs from the one attributed to L. Levin and is named by us as 
Kraji'cek-Pudlak’s optimality. They proved that an almost optimal deterministic 
algorithm for TAUT exists if and only if there exists a p-optimal proof system 
for TAUT. 

The question whether it is also possible to characterize an optimal determin- 
istic algorithm for TAUT (or equivalently an optimal deterministic algorithm 
for SAT) in p-optimal proof systems terms arises naturally from Krajicek and 
Pudlak’s work. We answer this question. We prove that an almost optimal de- 
terministic algorithm for SAT exists if and only if there exists a p-optimal proof 
system for SAT. Combining Krajicek and Pudlak’s result with our result we 
show that an optimal deterministic algorithm for SAT exists if and only if both 
proof systems for TAUT and for SAT exist. 

In the last section we discuss the problem of the existence of an optimal 
deterministic algorithm for SAT with Levin’s optimality property. 

The inspiration to write this paper comes from [5,4]. 



2 Preliminaries 

We assume some familiarity with basic complexity theory, see [1] . The symbol 
S denotes, throughout the paper, a certain fixed finite alphabet. The set of all 
strings over S is denoted by S* . For a string x, |a:| denotes the length of x. The 
symbol FP denotes the class of functions that can be computed in polynomial 
time. 

We use Turing machines (acceptors and transducers) as our basic computa- 
tional model. For a deterministic Turing machine M and an input w 
TIME(M, w) denotes the computing time of M on w. 

We consider clocked deterministic polynomial time Turing transducers (PTM 
for short). In the sequel we will not distinguish between a machine and its code. 
We impose some restrictions on our encoding of PTMs. From the code of any 
PTM we can detect easily (in polynomial time) the natural k such that + k 
is its polynomial time bound. We consider only languages over the alphabet S 
(this means that, e. g. , boolean formulas have to be suitably encoded). The sym- 
bol TAUT denotes the set (of all encodings) of propositional tautologies, SAT 
denotes the set of all satisfiable propositional formulas and UN SAT denotes the 
set of all unsatisfiable propositional formulas. 

Finally, < > denotes some standard polynomial time computable 

tupling function. 



3 Optimal algorithms and p-optimal proof systems 

The notion of an almost optimal deterministic algorithm for TAUT was intro- 
duced by J. Krajicek and P. Pudlak. We propose to consider almost optimal 
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and optimal deterministic algorithms for a language L with Krajicek-Pudlak’s 
optimality property. 

Definition 1. (cf. [5]) An almost optimal deterministic algorithm for L is a 
deterministic Turing machine M which recognizes L and such that for every 
deterministic Turing machine M' which recognizes L there exists a polynomial 
p such that for every x G L 

TIME{M; x) < p{\xlTIME{M'] x)) 

If we state the optimality conditions for both ”yes” and ”no” inputs we obtain 
the definition of an optimal deterministic algorithm for L. 

Definition 2. An optimal deterministic algorithm for L is a deterministic Tur- 
ing machine M which recognizes L and such that for every deterministic Turing 
machine M' which recognizes L there exists a polynomial p such that for any 

X € E* 

TIME{M- x) < p{\x\,TIME{M'- x)) 

Fact 1. If an optimal deterministic algorithm for SAT exists then P = NP if 
and only if this algorithm works in polynomial time. 

Fact 2. The following statements are equivalent. 

(i) There exists an optimal deterministic algorithm for SAT. 

(ii) There exists an optimal deterministic algorithm for TAUT. 

(iii) There exists an optimal deterministic algorithm for UN SAT. 

Fact 3. The following statements are equivalent. 

(i) There exists an almost optimal deterministic algorithm for TAUT. 

(ii) There exists an almost optimal deterministic algorithm for U NS AT. 

A systematic study of complexity of proof systems for Propositional Logic was 
started by S. Cook and R. Reckhow in [3]. They introduced the abstract notion 
of a proof system for TAUT. The question of the existence of a polynomially 
bounded proof system for TAUT is connected with the problem NP=co-NP? 
(see [3,7]). The existence of an optimal proof system for TAUT is an important 
open question introduced by J. Krajicek and P. Pudlak in [5]. 

J. Kobler and J. Messner defined the abstract notion of a proof system for a 
language L in the following way: 

Definition 3. (see [4]) A proof system for L is a polynomial time computable 
function h : E* 

If h{w) = X we say that w is a proof of x in h. 

It follows from the above definition that for any proof system h there exists 
a PTM Mh which computes h. Proof systems for L can be treated as nondeter- 
ministic algorithms accepting L. 

The notion of p-simulation is useful in comparing the strength of different 
proof systems for L. 
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Definition 4. (see [3]) Let h, h' be two proof systems for L. We say that h p- 
simulates h' if there exists a polynomial time computable function 7 : S*" — > S* 
such that for every x € L and every w € S* , if w is a proof of x in h' , then 
'y(w) is a proof of x in h. 



Definition 5. (see [4]) A proof system is p-optimal for L if it p-simulates any 
proof system for L. 

The family of proof systems for SAT contains a proof system which can be 
named natural. Any truth assignment satisfying a formula a. is its proof in this 
system. If the natural proof system for SALT was p-optimal then the assertion 
PRIMES belongs to P would be equivalent to the assertion FACTORING is in 
FP . Since FACTORING seems much harder than PRIMES, hence the natural 
proof system for SAT is not likely p-optimal. 



4 Test formulas 

In this section we construct boolean formulas which can be used to verify for a 
given PTM M and an input w that M on input w produces a satisfiable boolean 
formula. We use these formulas in the proof of Theorem 1. 

Definition 6 . We say that a PTM M behaves well on input w if M on w 
outputs a satisfiable boolean formula. 

To any PTM M and any w € S* we shall assign the boolean formula 
TESTm.w such that: 

The formula TESTm.w is satisfiable if and only if M behaves well on input w. 

Our construction of the formula TESTm.w is adapted from Cook’s proof that 
SAT is NP-complete (cf. [2]). Let S' be a fixed nondeterministic Turing machine 
working in polynomial time and accepting SAT. Let M' be the Turing machine 
which on any input x runs M and then runs S on the output produced by M. 
The formula TESTm.w is just Cook’s formula for the pair < M', w >. 

From the construction of test formulas it follows that they possess the fol- 
lowing properties: 

(1) Global uniformity property 

There exists a function f € FP such that for any PTM N with time bound 
+ k and for any w G S* 

f{{N,w,0^'^^"+'^)) = TESTM.^ 

(2) Local uniformity property 

Let M be any fixed PTM. There exists a function /m € FP such that for 
any w G E* 



fM{{M,w)) = TESTM,v. 
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Let T be an almost optimal deterministic algorithm for SAT. The following 
lemma intuitively says that T easily accepts test formulas for any fixed proof 
system for SAT. 

Let k : S* SAT be a proof system for SAT. Then there exists a certain 
PTM M with time bound n} + 1 and such that M computes k. 

Lemma 1. For every PTM M such that M is the machine of a certain proof 
system k : S* SAT there exists a polynomial p such that for every w G S* 

it holds: TIME{T,TESTm.w) <p(|w|)- 

Proof. Since M is the machine of the proof system k, TESTm.w is a satisfiable 
boolean formula for every w G E* . The machine M is fixed, so there exists a 
deterministic Turing machine which recognizes in polynomial time the language 
{TESTm.w- w G E*}. Combining this machine with the ’’brute force” algorithm 
for SAT we obtain the deterministic machine N recognizing SAT and such that 
the following condition holds: There exists a polynomial q such that for every 
w G E* 

TIME{N,TESTm,w) "£ Q’(|w|). The desired conclusion follows from the defini- 
tion of an almost optimal deterministic algorithm for SAT. 

5 Consistent Tnring machines 

The notion of a consistent Turing machine will be used in the proof of 
Theorem 1. 

Let M be a deterministic Turing machine. 

Definition 7. We say that M is consistent if M accepts only satisfiable boolean 
formulas (if M accepts w, then w G SAT ). 



Fact 4. For every consistent Turing machine M there exists the proof system 
qm '■ E* SAT such that for every w accepted by M 
gmix) = w, where x is the computation of M accepting w. 

The function gM is the proof system for SAT generated by M. Because we 
impose conditions only on w’s accepted by M, there are many proof systems 
generated by M. 

6 Krajicek - Pudlak’s optimality 

In this section we prove the equivalence between the problem of the existence of 
an optimal deterministic algorithm for SAT and the problem of whether SAT 
and TAUT have p-optimal proof systems. This is the main result of our paper. 
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Theorem 1. Statements (i) - (ii) are equivalent. 

(i) There exists an almost optimal deterministic algorithm for SAT. 

(ii) There exists a p-optimal proof system for SAT . 

Proof, (i) — >■ (ii) 

Let T be an almost optimal deterministic algorithm for SAT. We say that a 
string V G S* is in good form if 

where: M is a PTM with + k time bound, w G S*, is the sequence of 

zeros, Comp is the computation of T accepting the formula TESTm.w 

Let us notice, that if v is in good form then TESTm.w is a satisfiable boolean 
formula, hence PTM M behaves well on input w producing a certain satisfiable 
boolean formula a. The string u is a natural candidate for the proof of the 
formula a in a p-optimal proof system for SAT. 

Let ao be a certain fixed satisfiable boolean formula. We define 
h : E* — ^ E* in the following way: 

h(v) = a if u is in good form (v = (M, w, Comp)) and a is a boolean 

formula produced by M on input w, otherwise h(v) = ao- 

Clearly, h : E* SAT. It follows from global uniformity condition from 
Section 4 that h G FP. This proves that is a proof system for SAT. 

We have to show that h p-simulates any proof system for SAT. Let g be a 
proof system for SAT computed by PTM M with time bound + k. 

The function t : E* — > E* 

t(x) = (M, a:, Comp) 

translates proofs in g into proofs in h. 

The word Comp in the definition of t is the computation of T acccepting 
the formula TESTm.x- It follows from local uniformity property and Lemma 1 
(see Section 4) that Comp can be constructed from x in polynomial time. This 
proves that t G FP. 

(ii) — (i) Our proof technique is adapted from [-5]. 

Let Opt be the machine of a p-optimal proof system for SAT 
(Opt works in polynomial time). Let Mq, Mi, M2, M3, ... be an enumeration 
of all deterministic Turing machine acceptors such that Mq is the trivial ” brute 
force” algorithm recognizing SAT. Let T\, T2, T^, . . . he an enumeration of all 
Turing machine transducers. 

The desired machine T, which is an almost optimal deterministic algorithm 
for SAT, is constructed as follows. It has two distinguished worktapes QUEUE 
FOR VERIFICATION and PARTIAL RESULTS. These tapes are blanked at 
first. 

On an input w, |w| = n, T simulates the work of Mq, Mi, M2, M3, . . ., 
M„ and Ti, T2, Tq, ... Tn in several rounds. At the m-th round the machine T 
performs the following three groups of operations: 
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1. One additional computational step of Mq, Mi, M 2 , M 3 , . . ., M„ on w. The 
histories of computations of Mi, M 2 , M 3 , . . ., M„ are stored on the PARTIAL 
RESULTS tape, so performing computational steps of Mi, M 2 , M 3 , . . ., M„, 
the machine T updates the contents of the PARTIAL RESULTS tape. If a 
certain machine Mi, 1 < i < n, accepts w and x is the computation of Mi 
accepting w, then (Mi,x) is stored on the QUEUE FOR VERIFICATION 
tape ( {Mi,x) is added to QUEUE FOR VERIFICATION). 

2 . One additional computational step of Ti , T 2 , T 3 , . . . , on every input x such 
that {Mi,x) for a certain Mi is stored on QUEUE FOR VERIFICATION 
at that time. 

3. T checks whether there are strings x, y and integers i,k < n such that: 

(a) Mi has accepted w and {Mi, x) is on the QUEUE FOR VERIFICATION 
tape. 

(b) Tfc has produced on input x a string y. 

(c) y is a proof of w in Opt. 

If this is the case, T halts and accepts w, otherwise it continues operating 
till Mq halts and delivers YES or NO result. 

First we shall show that T recognizes SAT. If T finishes the simulation of 
Mq, then this is clear. So suppose that M accepts w because the situation in (3) 
occurs. Since w has an Opt-piooi, w is a satisfiable boolean formula. 

Let N be any deterministic Turing machine which recognizes SAT. N = Mi 
for a certain i. Since N is consistent, there exists a proof system generated by N , 
and there exists j such that Tj translates proofs in this system into Opt-pioois. 
There exists also a polynomial p bounding the running time of Tj . 

Let w be any input such that |w| > max{«, j} and w G SAT. Let k = 
TIME{Mi,w). T accepts w in p{k) + k round or sooner. Since the mth round 
of T takes polynomially many steps in n and m, there is a polynomial q such 
that TIME{T, w) < q{n, k). This proves that T is almost optimal deterministic 
algorithm for SAT. 

The following result was proved in [5] . 

Theorem 2. (Krajicek, Pudldk) The following statements are equivalent. 

(i) There exists a p-optimal proof system for TAUT. 

(ii) There exists an almost optimal deterministic algorithm for T AUT . 

Using Theorem 1, Theorem 2, Fact 2, and Fact 3 we can prove our main 
theorem. 

Theorem 3. The following statements are equivalent. 

(i) TAUT and SAT have p-optimal proof systems. 

(ii) There exists an optimal deterministic algorithm for SAT. 

(Hi) There exists an optimal deterministic algorithm for T AUT . 
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7 Levin’s optimality 

The following theorem is attributed to L. A. Levin in [9]. 

Theorem 4. (Levin) 

There exists a deterministic Turing machine L which recognizes SAT and such 
that for every deterministic Turing machine N which recognizes SAT there exists 
a polynomial p such that for any w € SAT 

TIME{L,w) <p(|w|, max{ T/ML;(iV,n) : v e SAT,\v\ < |w|}) 

The machine L is named by us as an almost optimal deterministic algorithm 
for SAT with Levin’s optimality property. We propose to introduce the following 
notion. 

Definition 8. An optimal deterministic algorithm for SAT with Levin’s opti- 
mality property is a deterministic Turing machine M which recognizes SAT and 
such that for every deterministic Turing machine M' which recognizes SAT there 
exists a polynomial p such that for any w G E* 

TIME{M,w) < p{\w\,max{TIME{M',v) : |?;| < |w|}) 

It follows from Theorem 2, Fact 3 and Theorem 4 that the existence of a p- 
optimal proof system for TAUT implies the existence of an optimal deterministic 
algorithm for SAT with Levin’s optimality property. 
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Abstract. Characteristic properties of majorant-computable real- valu- 
ed functions are studied. A formal theory of computability over the reals 
which satisfies the requirements of numerical analysis used in Computer 
Science is constructed on the base of the definition of majorant-computa- 
bility proposed in [13]. A model-theoretical characterization of majorant- 
computability real-valued functions and their domains is investigated. 
A theorem which connects the graph of a majorant-computable function 
with validity of a finite formula on the set of hereditarily finite sets on iR, 
HF(IR) (where IR is a proper elementary enlargement of the standard 
reals) is proven. A comparative analysis of the definition of majorant- 
computability and the notions of computability earlier proposed by Blum 
et ah, Edalat, Siinderhauf, Pour-El and Richards, Stoltenberg-Hansen 
and Tucker is given. Examples of majorant-computable real-valued func- 
tions are presented. 



1 Introduction 

In the recent time, attention to the problems of compntability over uncountable 
structures, particularly over the reals, is constantly raised. The theories proposed 
by Barwise [1], Scott [18], Ershov [7], Grzegorczyk [9], Moschovakis [15], Freed- 
man [8] got further development in the works of Blum, Shub, Small [4], Poul-El, 
Richards [16], Edalat, Siinderhauf [6], Stoltenberg-Hansen, Tucker [19] Korovina, 
Kudinov [13] and others. This work continues the investigation of the approach 
to computability proposed in [13]. 

Developing our approach we took into consideration the following require- 
ments: 

1. Our notion of computability should involve only effective processes. 

2. Its definition should contain minimal number of limitations. 

* This reseach was supported in part by the RFBR (grant N 96-15-96878) and by 
the Siberian Division of RAS (a grant for young reseachers, 1997) 
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3. The class of computable real-valued functions shonld have clear and exact 

classifications in logical and topological terms. 

4. This class should also contain the classes of computable real-valued func- 
tions proposed in earlier works by Blum Shub, Small; Poul-El, Richards; 

Stoltenberg-Hansen, Tucker; Edalat, Siinderhauf as subclasses. 

According to these reqnirements we constrnct a notion of computability over 
the reals with the following properties: 

1. In onr approach, the computation of a real- valued function is an infinite 
process that produces approximations closer and closer to the result. 

2. This approach does not depend on the way of representing the reals. The 
definition of computability does not limit the class of considered functions by 
the property of continuity and the property of being total. Also uniform con- 
vergence of processes that produce approximations to a computed function is 
not reqnired. The use of nonstandard models of the first-order theory of the re- 
als enables us to investigate properties of computability of partial real-valued 
functions. 

3. Special attention is paid to definability of majorant-computable real- valued 
functions and their domains. A theorem which connects the graph of a majorant- 
compntable function with validity of a finite formula in the set of hereditarily 
finite sets HF (IR) (where IR is a proper elementary enlargement of the standard 
real numbers) is proven. The property of definability can be considered as a de- 
notational semantics of computational processes. Also we give a characterization 
of the domains of majorant-computable functions via formulas. 

4. A comparative analysis of the definition of majorant-computability and 
the notions of computability earlier proposed by Blum et. ah, Poer-El and Ri- 
chards, Edalat and Siinderhauf is given. For continuous total real-valued func- 
tions, the class of majorant-computable functions coincides with the class of com- 
pntable functions introduced by Pour-El, Richards, and with the class introduced 
by Edalat and Siinderhauf. For partial real-valued functions, the class of com- 
putable functions introduced by Edalat and Siinderhauf is contained in the class 
of majorant-computable functions. 

In our approach, the majorant-computable functions include an interesting 
class of real-valned total functions that admit meromorphic continuation onto C. 
This class, in particular, contains functions that are solutions of well-known 
differential equations. 

2 Basic Notions 

Throughont the article, < IR, 0, 1, -I-, •, <> is the standard model of the reals, 
denoted also by H, where -I- and • are regarded as predicate symbols. Let Th(IR) 
be the first order theory of IR. Let IN denote the set of natnral numbers and Q 
the set of rational numbers. 

We use definability as one of the basic conceptions. Montague [14] proposed 
to consider computability from the point of view of definability. Later, many 
anthors among them Ershov [7], Moschovakis [15] paid attention to properties 
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of this approach applied to various basic models. We base on the following no- 
tion of definability in a structure M = (M, (Tq), where (Tq is a finite first-order 
language. Bold face indicates sequences, in particular, x = xi, . . . , x„. 

A formula <P{x) is said to define the set {r S M"|M |= ^(r)}, and a set 
of this form is called a definable subset of M". A function F : M is said 

to be definable if its graph is definable (in M). 

Recall some properties of definable sets and functions in IR. The following state- 
ments are proven in [5,12]. Denote by Ho the real closure of the rational numbers. 
We use standard notations for real intervals (a, 6), [a, 6], (a, 6], \a,b). 

In addition, (a, b) denotes any of these intervals. 

Proposition 1 ((0-minimality property)). 

1. A set R C IR is definable if 

and only if there exist n € to and oi, 6i, . . . ,an, bn G IRq U {-too, — oo} such 
that B = \Ji^n • 

2. Each definable subset o/IR” is the disjoint union of finitely many cells, each 
of which is also definable. {A cell is a space that homeomorfic to some IR^, 
where k < n.) 

Proof. See [2,5]. 

Since the theory Th(IR) admits elimination of quantifiers, it follows that 
0-minimality property holds on every model of Th(IR). 

For a function / let us denote 

dom(/) ={x\3y (/(x) = y)}, 
im(/) = {y ] 3x(/(x) = y)}, 

Ff = {(x,y) I [(x,y) G dom(/) x im(/)] A [/(x) = y]} . 

A function f : M ^ L is called total if dom(/) = M. 

Definition 2. A partial real-valued function /: IR ^ IR is said to be algebraic 
if for some a, 6, c, d G IRq U {— oo, -too} and a polynomial p G Q[x, y], 
the following conditions hold: 

1. dom(/) = (a,b); 

2. im(/) = {c,d); 

3- rf = {{x,y) I ](x,y) G {a,b) x (c,d)] A [p{x,y) = 0]}. 

Proposition 3. A real-valued function /: IR ^ IR is definable if and only if 
the following conditions hold. 

1. There exist n G w and ai,bi, . . .,an,bn G IRq U {-too, — oo) such that 
dom(/) = Uj<„ (oi, bi) and (aj,bj) f| (a*, bi) =% for i ^ j. 

2. / is an algebraic function on the interval {at, bi) for all i <n. 



Proof. See [2, 12]. 
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The previous proposition implies that a real- valued function / is definable if 
and only if / is the finite union of algebraic functions defined on disjoint intervals 
with algebraic endpoints. In order to study richer classes of real- valued functions 
then the above one we need an enlargement of our basic model. 

Let us construct the set of hereditarily finite sets HF(M) over a model M. 
This structure is rather well studied in the theory of admissible sets [1,7] and 
permits us to define the natural numbers, to code, and to store information via 
formulas. 

Let M be a model whose language (Tq contains no function symbols and 
whose carrier set is M. We construct the set of hereditarily finite sets, HF(M), 
as follows: 

1. So(M) ^ M, Sn+i(M) ^ Vui{Sn{M)) U Sn(M), where n € to and for every 
set B, Vui{B) is the set of all finite subsets of B. 

2. HF(M)=U„e.S„(M). 

We define HF(M) (HF(7W), TIL, (Tq, 0hf(m)) Shf(m)) ) where 0hf(m) and 
the binary predicate symbol Shf(m) have the set-theoretic interpretation. De- 
note (T = (To U {0hf(m)) €hf(m)}- The notions of a term and an atomic formula 
are given in a standard manner. 

The set of Aq - formulas is the closure of the set of atomic formulas in the lan- 
guage a under A, V, ~<,3x €t and Vx S t, where 3x €t (p denotes 3x(x € t A (p) 
and \/x € t p denotes Vx(x € t ^ p). The set of B -formulas is the closure of 
the set of Aq formulas under A, V, 3x S t, Vx S t, and 3. We define B -formulas 
as negations of L'-formulas. 

Definition 4. 1. A set B C HF(M) is B-definable if there exists a E-formula 
d>{x) such that x € B HF(M) |= ^(x). 

2. A function f : HF(M) HF(M) is E-definable if there exists 
a E-formula th{x, y) such that f{x) = y HF(M) |= <?(x, y). 

In a similar way, we define the notions of U -definable functions and sets. The 
class of A-definable functions (sets) is the intersection of the class L'-definable 
functions (sets) and the class of 7T-definable functions (sets). 

Note that the sets M and M" are Zio-definable. This fact makes HF(M) 
a suitable domain for studying functions from to M. To introduce the defi- 
nition of majorant-computability we use a class of L'-definable real-valued func- 
tions as a basic class. So, we recall properties of L'-definable real-valued functions 
and subsets of H”. The following propositions give important properties of E-, 
A-, 7T- definable sets and functions. 

Proposition 5. Let be a model o/Th(lR) and (Tq be the language o/Th(lR). 

1. A set C IR is E-definable if and only if there exists an effective sequence 
of quantifier-free formulas in the language ao, {^jj(x)};jga;, such that x € 
B 

2. A set i? C IR is II -definable if and only if there exists an effective sequence 
of quantifier-free formulas in the language ao, {^^(x)};;^^;, such that x € 

B Aseu^^six). 
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Proof. The claim is immediate from the properties of the set of hereditarily finite 
sets and the fact that Th(IR) admits elimination of quantifiers. □ 

Proposition 6. Let IR be the standard reals. 

The following statements hold in HF(IR). 

1. The set IN is A-definable. 

2. The class of S -definable real-valued total functions is closed under composi- 
tion. 

3. There is an universal real-valued S-definable function in the class 
of S-definable real-valued functions. 

Proof. See [7, 12, 11] and Proposition 5. 

Proposition 7. A real-valued function / : IR — >■ IR is S-definable if and only if 
the following conditions hold. 

1. There exist effective sequences {ai}i^oj, 

where at, bi S Mo U {+oo, — oo} for i G to, such that 

dom(/) = (J (oi, bi) and {aj,bj) Q {at, bi) =% for if= j . 

2. There exists effective sequences of algebraic functions {gifi^uj such that 
f coincides with gi on the interval {oi, bi) for all i G to. 

Proof. See [12] and Proposition 5. 

Theorem 8 ((Uniformization)). LetlR be a model o/Th(M). 

For any subset o/M which is S-definable by a S -formula d? there exists 

1 ~ 

an S-definable function / : M M such that 

1. dom(/) = {x|HF(]R) |= 3y^{x^,y)}. 

2. for X S dom(/) we have HF(M) |= <P{x, f{x)) . 

Proof. See [12] and Proposition 7. 

To introduce the notion of majorant-computability for partial real-valued 
functions we need a notion of prime enlargement of M. 

Definition 9. A model M o/Th(M) is called a prime enlargement o/M if there 
exists t S M such that t > n for every natural n (we write t > TN) and M is 
the real closure of the ordered field M(t) . 

In addition, we write t > M ift>r for all r G M. 

Definition 10. Let IR be a proper elementary enlargement o/M and let t > IN. 
We define the following function sp : M M U {— oo, -foo} 

{ X* € JR if for I X — X* 1= £ the condition 0 < £ < M'*’ holds , 

-foo if X > JR, 

—oo if X < JR . 

An element x G M is finite if and only if — oo < sp(x) < -l-oo. The set of all 
finite elements o/M is denoted by Fin(M). 
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Since IR |= Th(IR), ]R is a proper elementary enlargment of IR with the same 
true first-order formulas. Recall properties of prime enlargements and proper 
elementary enlargements of IR. 

Proposition 11. 1. Every two prime enlargements o/lR are isomorphic. 

2. There exists a nonstandard element t > IN in a proper elementary enlargement 
of IR. 

Proof. See [10,17]. 

Lemma 12. Letp{x,y) be a countable set of first-order formulas with one vari- 
able X and real parameters y. Given proper elementary enlargements IRi, IR 2 
o/lR, p(x,y) holds in IRi if and only ifp(x,y) holds in IR 2 . 

Proof. The claim is immediate from 0-minimality of Hi and IR 2 . □ 

Lemma 13. Let iR 6e a prime enlargement o/lR. 

For every S -formula (p{z,x.) there exists a S -formula 9 ?*(x) such that, 
for all X e IR” ond t > IN, HF(lR) |= ip{t, x) HF(lR) |= 

Proof. The claim is immediate from 0-minimality of IR. □ 

Lemma 14. Let IR 6e a model o/Th(lR) and let B be a countable subset o/lR. 
If B is S -definable in HF(lR) then there exists a E -definable function 
: IN ^ iR numbering B. 

Proof. The claim is immediate from Proposition 1 and Proposition 5. □ 

3 Majorant-Computable Functions 

Let us recall the notion of majorant-computability for real- valued functions pre- 
sented in [13]. We would use as a basic class the class of L'-definable total func- 
tions of type / : iR ^ iR, where iR is a proper elementary enlargement of IR. 
A real- valued function is said to be majorant-computable if we can construct 
a special kind of nonterminating process computing approximations closer and 
closer to the result. 

Definition 15. A function f : IR” ^ IR is called majorant-computable if there 
exist effective sequences of E -formulas {^s(a, x, y)}sgo; and {Gs{a,x.,y)}s^uj, 
with a parameter a, a proper elementary enlargement iR 0/ IR such that 
the following conditions hold. 

1. There exists t S iR such that t > IN; 

2. For all s € u>, the formulas d?s(a,:^c,y) and Gs{a,x,y) define total func- 
tions fs and gs as follows: 

a. fs : iR” iR and gs : iR” iR, 
b- /Rx) = y HF(IR) 1= ^Rt,x,y), 
yRx) = y^ HF(IR) |= Gs{t,x,y); 
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3. For all x G M"', the sequence {fs{x)}s£uj increases monotonieally; the sequ- 
ence {gs{x.)}s^uj decreases monotonieally ; 

4. For all s € to, X. G dom(/), fs{^) < /(x) < 9 s(x) and, for all x G ]R , 
/s(x) < gs(x); 

5. /(x) = y GG lims^oo sp(/s(x)) = y and linis^oo sp(ys(x)) = y. 

The sequence {fs}seuj in Definition 15 is called a sequence of lower S-approxima- 
tions for /. The sequence is called a sequence of upper S- approximations 

for /. 

As we can see the process which carries out the computation is represented 
by two effective procedures. These procedures produce ^'-approximations closer 
and closer to the result. If the computational process converges to infinity the 
procedures produce nonstandard elements like —t or t, where t > IR. 

So, using a proper elementary enlargement of IR in the Definition 9 we admit 
only precise computations at finite steps. Since a prime enlargement is effectively 
constructed over IR, this approach admit us to consider computability of partial 
functions in a natural way. 

The following theorem connects the graph of a majorant-computable function 
with validity of a finite formula in the set of hereditarily finite sets, HF(IR) 
(where IR is a proper elementary enlargement of the standard real numbers). 

Definition 16. Let iR 6e a proper elementary enlargement o/lR. A formula <F 
is said to determine a function / : IR ^ iR in the model HF(lR) if the following 
statement holds /(x) = y 

(HF(1R) 1= ^(x, y) for x G IR and {sp(z) | ^(x, z)} = {y} for y G IR). 

Theorem 17. For all funetions f : IR"" IR, the following assertions are equiv- 
alent: 

1. The function f is majorant-computable. 

2. There exist a prime enlargement iR IR and a II -formula that determines 
a funetion F in HF(lR) with the property F \ IR= /• 

3. There exists a II -formula that in any proper elementary enlargement IR IR 
determines a function F with the property F \ IR= /• 

Proof. 1^2) Let / be majorant-computable. By Proposition 11, without loss 
of generality, we may assume that there exist a prime enlargement IR of IR, 
a sequence {fs}seuj of lower ^'-approximations for /, and a sequence 
of upper ^'-approximations for /. Let t > IN. Denote B = Q U {±t" | n G Q}. 

Using {fs}sGuj, {ysjseo;, and cofinality of B in iR, we construct a sequen- 
00 {/s }s£a; of new lower ^'-approximations for / and a sequence {yslsgo; of new 
upper ^'-approximations for / such that, for all s G w, the ranges of fs and 
are subsets of B. Denote: 

Di(x) ={z G B \ 3s{fs{x.) > z)},D2(x) = {zG B \ 3s(y,,(x) < z)} . 

The sets Di(x) and D 2 (x) are A'-definable and countable; so, by Lemma 14, 
there exist a function hi(n,x) numbering Di(x) and a function h 2 {n,x.) num- 
bering D2(x). Next, put 

/*(x) = maxn<shi{n,x), y*(x) = mm„<sli 2 (n, x) . 
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By construction, the sequences {/* }seoj and {g*} s^uj are what we seek. 
Let 



/;(x) =y^ HF(]R) h 5 :(x) =y^ HF(]R) |= G:(t,x,y) , 

where G* are L'-formulas. From Lemma 12 it follows that, for all s € uj, 
there exist L'-formulas and G** such that, for every x S M” and y G IR : 

HF(]R) |=G:(t,x,y) GGGr(x,y), HF(IR) |= x, y) gg ^>r (x, y) . 

Let 

ds = {x I X G Fin”(]R), /^(x), ys(x) G Fin(]R)} for s G w. 

By L'-definability of Fin(]R), the set dg is L'-definable. It is easy to see that 
dg -^g^uj dom(/). Put 

d>(x, y) ^ VsVyiVy 2 [(x G dg) ((<I>r(x, Vi) A G"(x, ya)) ~^{yi<y< y 2 ))] • 

The 7T-formula determines a function F : ]R IR. 

Let us prove that F | IR = /. 

Let /(x) = y. Suppose the contrary: F(x) ^ y. By Definition 16, there exist 
s € uj, yi, ya G ]R such that 

HF(IR) h (x G d,) Ad>r(x,yi) AGr(x,y 2 ) A (y^[yi,ya]) • 

By the constructions of fg, gg and the definition of dg, there exist zi, za S IR 
such that 

/;(x) = zi GG HF(]R) h C(i>x,zi), y:(x) = za ^ HF(]R) |= G:(t,x,za) . 
Note that x G K" and zi, za G K. So, we have 

/;(x) = zi GG HF(IR) h C*(x, Zi), y:(x) = za GG HF(lR) |= Gr(x, za) 
and 

HF(]R) h (xGd,)Ad>r(x,zi)AGr(x,za)A(yG [yi,ya]) • 

Note that if a formula G(x, y) defines the function / in HF(IR) then 
HF(]R)^G(x, y) for x G dom(/), y^H. It is easy to see that the formulas <?**, 
G** define functions in HF(IR), so yi = zi and ya = za; a contradiction. 

If F(x) = y for x G IR” and y G IR, 

{sp(^) I A (/i'W - ^ - di(x))} = {y} ■ 

It follows that lim;j_>oo sp(/s (x)) = y and lim S—¥00 sp(dl(x)) = y. So, /(x) = y 
and the formula ^ is what we seek. 

2^3) This is obvious. 
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3^-1) Let ]R be a prime enlargement of IR and let a 7T-formula ^(x, y) determine 
the function F such that F |]r= /. From Proposition 5 it follows that there exists 
an effective sequence of quantifier-free formulas {(pi{x,y)}i(z^^ such that 

HF(IR) h ^(x,y) ^ HF(IR) h A • 



Denote 

^s(x,y) ^ A • 

i<s 

Put 



^(x) 



inf{y I ^s{x,y)} if inf{y | ^s{x,y)} exists, 
—t otherwise, 



5s (x) 



sup{y I ^s(x,y)} if sup{y | ^s(x,y)} exists, 
t otherwise, 



where t > IN . 



Then {/slsgo; and are the sought sequences. □ 

We remark that if / is a total function then the sequences {fs}seuj and {^slsgo; 
can be constructed to converge uniformly to / on H. 

As a corollary from the previous theorem we note that whenever we want 
to prove some statements to define a majorant-computable function, without 
loss of generality, we can assume that the proper elementary enlargement of IR 
in Definition 15 is a prime enlargement of IR. 

Proposition 18. Let f : M” ^ M 6e majorant-computable. 

Then dom(/) is Il 2 -definable by a formula of type ((Vz € IR) ^{z, x)), 
where T> is a S-formula. 

Proof. Let {/slsgo; be a sequence of lower ^'-approximations for /, 
and let be a sequence of upper ^'-approximations for /. 

We obtain: 

X S dom(/) HF(IR) |= (Ve S IR)(3s s IN)|/;j(x) — 3 ;s(x)| < e . 

By A'-definability of the natural numbers, the set dom(/) is 7l2-definable. □ 

Corollary 19. The domain of a majorant-computable function is the effective 
intersection of intervals with algebraic endpoints. 

Proof. The claim is immediate from Proposition 5 and Proposition 18. □ 

Definition 20. Let a function f : IR"" IR 6e total. 

The epigraph of f is defined to he the set U = {(x, y) | /(x) < y}. The ordinate 
set of f is defined to be the set D — {{:x.,y) \ /(x) > y}. 
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Corollary 21. Let f : IR” IR 6e a total function. 

The function f is majorant- computable if and only if the epigraph of f and 
the ordinate set of f are S-definable sets. 

Proof. It is clear that 

(x, z)€U^ HF(]R) 1= 3s3y [ (s e N) A G**(x, y) A {z > y)] , 

(x, z) G D ^ HF(IR) 1= 3s3y [ (s S IN) A F**(x, y) A {z < y)] , 
where the formulas G** and F** are those in the proof of Theorem 17. □ 

Corollary 22. Let / : IR M. 

1. If f is a S-definable real-valued function, then f is majorant-computable. 

2. J/dom/ C IN and im/ C IN, then f is majorant-computable if f is a partial 
recursive function. 

3. If f is a majorant-computable total function, then f is a piecewise continuous 
function. 

Proof. The claims follow from the definition of majorant-computability. □ 

4 Majorant-Computability and PR-, ES-Computabilities 
over the Reals 

Let us denote the computability proposed in [16] as PR-computability. 

Recall the definition of PR-computability for real- valued functions. 

Definition 23. A total function / : IR — i IR zs PR-computable if and only if 

1. it maps computable sequences to computable sequences, 

2. it is effectively uniformly continuous on intervals [—n, n] . 

Let us denote the computability proposed in [6] as ES-computability. 

Recall the definition of ES-computability for real- valued functions. 

We recall the definition of the interval domain I : 

/ = {[a, 6] C IR I a, 6 S IR, a < 6} U {T} . 

The relation <C is defined as follows: T ^ J for all J G / and [a, b] [c, d] if 
and only if a < c and b > d. 

Definition 24. Let Jq = {bi, . . . , . . .} U {T} be the effective enumerated set 

of all intervals with nationals endpoints. 

A continuous function f : I ^ I is computable, if the relation bm ^ f{bn) is 
r.e. in n, m, where bm, bn G Iq- 

Definition 25. A function / : IR ^ IR is ES-computable if and only if there is 
an enlargement g : I ^ I (i.e., g{{x}) = {/(a;)} for all x G dom(/) ) which is 
computable in the sense of the Definition 2f. 
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Let us define gx,y 
where IIm(x) = i 



— 9x,y — ^[x,y)i 

1 if X e M, 
undefined otherwise . 



Definition 26. A continuous function h : [a, 6] IR is called a piecewise linear 
function if there exist xq, . . . , x„ G IR such that a = xq < xi < . . . x„ = b, and 
h \ [xi,xi+i] is a linear function for all 0 < i < m. We define the code [h] of h as 
follows: [h] = {< Xi, h(xi) >\ 0 < i < m}. 

Let us consider functions from < a, 6 > to IR. 

Proposition 27. Let f :< a,b TR be a continuous majorant- computable 
function. The function f is PR-computable if and only if the relation 



Rf = {< x,y,z >G [a,6]^ X ]R I X < y A f\[x,y] > zgx,y} 



is S-definable in HF(IR). 



Proof. -^) By the definition of PR-computability, / is an effectively uniformly 
continuous function. It follows that the set 



Qf = {< x,y,z,e >G [a,b] x | ||/ - zgx,y\\[x,y] < e} 
is L'-definable. 

For X, y G ]R such that x < y, the following equivalence holds. 

11/ - zgx,y\\[x,y] < e GG (3 < 6i, . . . , >G Q^“) 

n—1 n—1 

(A 1^* “ <^ = Abo = X Abn = y A A ^ ’ 

i—0 i— 0 

where w is an effective modulus of continuity for /. It follows that < x,y,z >G 
Rf a and only if there exist e > 0 and a step- function h : [x,y] — >■ Q such that 
h > zga,b + e and ||/ - h\\[x,y] < e. 

For arbitrary xq < . . . < x* < . . . < x„ = y and h = UHA i^i9xi,xi+i) , 

11/ ^1 1 [a;,y] “ maXQ< j<^_l 1 1/ Zigx^,xi.^.i \ \ • 

So the set Rf is L'-definable in HF(IR). 



■«— ) Let Rf he L'-definable in HF(IR). For every e = i> 0, where s G w, we will 
effectively construct piecewise linear functions fs : [a,b] ^ IR, ys : [a,b] IR 
with the following conditions: 

1- fs{x) < f{x) < gs{x) for all x G [a,b]; 2. ||/,, - y,,|| < e. 

In fact, by L'-definability oi Rf, the set 



Tf = 



|< x,y,z,t >G [a, 6]^ x IR^ | x < y A Vm G [x, y] 



/(m) > 



y-x JJ 
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is ii'-definable. It follows that the set 

Lf = {< s,[f],[g] >\ s € to, f, g are piecewise linear with the condition 1-2} 

is li'-definable. Using nniformization (see Theorem 8) we can construct the re- 
quired functions fs, gs- 

Obviously, by the code [/i] C of a piecewise linear function, we can effectively 
construct a function Wh '■ [0, 1] IR with the following properties: 

1. Wh is a linear function; 

2. (Ve e (0, 1]) (Vx, y S [0, 1]) (|x - y\ < Wh{e) \h{x) - h{y)\ < e) 

As we can see, Wh is a modulus of continuity for h. 

Let us define the function Wf as follows: Wf = Wf^(^^), where s{e) = [|] -|- 1. 
It is easy to see that Wf is A'-definable, and it is a modulus of continuity for /. 
By the definition of PR-computability, / is PR-computable. □ 

It is easy to see that the continuous majorant-computable total function / is 
PR-computable if and only if the intersection n Q is A'-definable in HF(IR). 

Proposition 28. If B is an open S-definable set then B is the effective union 
of open intervals. 

Proof. Let B be an open A'-definable set. By Proposition 3, 

B = (J <ai,Pi> . 



We represent B as follows: 

B = (J [ai,f3i) U (J (oi, A] U IJ (ai,Pi) U (J [ai,Pi\. 

iGli i€l2 i€l3 i€l4 

Put = {i € I 4 \ aif=Pi, aif=Pj, j € I 4 }. Because B is open, we can effectively 
choose 7 i, Vi, Si, and 0i as follows 

7 i < Oi and 7 * S {aj,f3j), where i G h, j G hU I 3 U 

Vi > Pi and Vi G {aj,Pj), where i € I 2 , j & Ii LI I 3 U 

Si < ai and Si G (aj,Pj), where i G I 4 , j € Ii LI I 2 LI I 3 , 

Oi > Pi and Pi G {aj,Pj), where i G I 4 , j G /i U I 3 . 

So, 

= U U A) U IJ (ai,Pi) U J (Si,6i). 

i€li i€l2 i€l3 

This means that B is the effective union of open intervals. □ 
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Proposition 29. Let / : [0, 1] M 6e a majorant- computable continuous func- 
tion. 

The set Rf = {<a, 6, c>|0<a<6<lA f\[a,b] > c} is S-definable in HF(IR). 

Proof. Without loss of generality, let us consider the case / : [0, 1] ^ [0, 1]. 

Let us define x S Af -H- |/(x) — fl < for z = 0, . . . , s. 

We have the following properties: 

1. U^f = [0) 1]) 2. Af is an open L'-definable set. 

By Proposition 28, Af = some rational numbers 

Let [a, b] C [0, 1]. Let us consider the case c = 0. By continuity of /, f\[a,b] > 0 
if and only if there exists s such that [a, b] C lJi=i ^1- 

Really, if there exists s such that [a, b] C lJi=i and x S [a, b] then x € Af 
for some i. By the definition of Af, |/(x) — jl < j, so /(x) > 0. 

If /I Ml >0, then there exists si such that f\[a,b] > Put s = si. 

For some z > 0, we have |/(x) — fl < i-e., x S Af. So, [a, b] C Af. 

By compactness of [a, 6], f[a^b] > 0 if and only if there exists s such that 
[a,b] C Af, where Af = (a^ j,, /3^ j,), and Ji^s is some finite subset of 

to, 0 < i < s, i.e., /[a, 6] > 0 if and only if the L'-condition holds. 

In the general case, for [a, b] and c, using similar considerations we check 
the following condition: 

[a,b]C U Af. 



Theorem 30. Let / : [a, 6] IR 6e a continuous total function. 

The function f is majorant- computable if and only iff is PR- computable. 

Proof. -^) The claim is immediate from Proposition 27 and Proposition 29. 

<— ) The claim is immediate from Corollary 21. □ 

Corollary 31. Let f : [a, b] ^ be a total continuous function. 

The function f is majorant- computable if and only iff is ES- computable. 

Proof. The claims are immediate from Corollary 30 in [6]. □ 

Theorem 32. The class of ES-computable functions is contained in the class 
of majorant- computable functions. 

Proof. Let / : IR ^ IR be ES-computable. 

For n € LO, we define A„ = {x S IR | p,{f{[x])) < P}, where p, is the natural 
measure defined on I. It is easy to see that A„ is L'-definable open set, and 
dom(/) 

By Proposition 28, Ai = Pt), where at, ft S Q and at < Pi. 

By Lemma 14, there exist a L'-definable function h : IR x IN IR numbering 
the L’-definable set {z G Q | z < /([x])}, and a L'-definable function 
LI : IR X IN IR numbering the L'-definable set {z G Q | z > /([x])}. 




Characteristic Properties of Majorant-Computability over the Reals 



201 



Put 



fs{^) 



maxk<sh{x,k) if x € 
—t otherwise, 



9s{x) 



mmk<sH{x,k) if x € Un<s(“"> 
t otherwise, 



where t >TN . 



Then {/slsgo; and are the sought sequences. So, / is majorant-compu- 

table. 

There exist majorant-compntable fnnctions that are not ES-computable. 

For example, a total step-function with a computable set of discontinuities is the 
sought one. □ 



Corollary 33. If f is ES-computable, then the domain of f is the effective 
intersection of open intervals. 



Proof The claim is immediate from the proof of Theorem 32. 



□ 



Corollary 34. For real-valued functions, we have the following inclusions: 

1. The class of E -definable functions is contained in the class of majorant- com- 
putable functions. 

2. The class of computable functions introduced by Moschovakis is contained in 
the class of majorant- computable functions. 

3. The class of functions definable by finite dimensional machines of Blum et 
al. without real constants is contained in the class of majorant- computable 
functions. 

4. The class of PR- computable functions is contained in the class of major ant- 
computable functions. 

5. The class of ES-computable functions is contained in the class of major ant- 
computable functions. 

6. The class of computable functions introduced by Stoltenberg-Hansen, Tucker 
is contained in the class of majorant- computable functions. 



5 Examples 

Consider an interesting class of real- valued total functions possessing meromor- 
phic continuation onto C. This subclass contains, for example, solntions of known 
differential equations. 

Let C be the set of complex nnmbers. 

Definition 35. A function / : IR — >■ IR is said to admit meromorphic contin- 
uation onto C if there exists a meromorphic function f* : <E ^ <C such that 

r k= /. 
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We recall a fact concerning meromorphic functions in complex numbers the- 
ory [3]. 

Proposition 36. Let / : C ^ C 6e o total meromorphic function. There exist 
entire functions a(z) and b{z) such that 

r m = fg}. 

2. a(z) and b{z) have Taylor expansions with coefficients in H. 

Proof. The claim follows from the Schwartz principle [3] . □ 

Theorem 37. Let / : IR — > IR 6e a total function and let f* be its meromorphic 
continuation onto C. Suppose that f* can be written as f*{z) = where 

functions a{z) and b{z) are as in Proposition 36. The function f is majorant- 
computable if the following conditions on f hold: 

1. There exist S-definable real-valued functions A and B such that 

I a{z) \< A{w), 
max\ 2 \<w I b{^) 1^ B{w), where w S IR ; 

2. The coefficients of the Taylor expansions for a{x), b(x) are majorant- compu- 
table as constant functions. 

Proof. Let / satisfy the conditions of the theorem. We shall prove that the epi- 
graph of / and the ordinate set of / are L'-definable. Denote the Taylor expan- 
sions for a{z) and b{z) at the point 0 as follows: 

a{z) = '^Okz'^, b{z) = bkz'^. 

Show that a |]r and b |]r are majorant-computable. Let us consider an arbitrary 
disk \ z \ < R. 

From the Cauchy inequality [3], for all fc G w, we have 
M 

lofcl < TTT! where M = max \a(z)\ . 

' - i ? fc ’ \z\<r' ^ 

This remark admits us to construct two sequences of required approximations 
for a |]R. It is easy to see that a |]r is majorant-computable. Similarly, 6 |]r is 
majorant-computable. It is easy to proof that if a |]r and b |]r are majorant com- 
putable, then |a||]R and |6||]r are majorant-computable. From now it is evident 
that the epigraph and the ordinate set of the function / are L'-definable sets. 
Corollary 2 implies that / is a majorant-computable function. □ 

Corollary 38. If an analytical function f has Taylor expansion with majorant- 
computable coefficients and the function \ f \ is bounded by an S-definable total 
real function, then f is a majorant-computable function. 

Since the considered language contains equality, majorant-computable func- 
tions can be discontinuous. The natural question is raised describe the situation 
without equality. Our forthcoming results would be devoted to this problem. 
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1 Introduction 

This paper describes principles behind a declarative programming language CL 
( Clausal Language) which comes with its own proof system for proving proper- 
ties of defined functions and predicates. We use our own implementation of CL 
in three courses in the first and second years of undergraduate study. By unifying 
the domain of LISP’s S-expressions with the domain N of natural numbers we 
have combined the LISP-like simplicity of coding with the simplicity of seman- 
tics. We deal just with functions over N within the framework of formal Peano 
arithmetic. We believe that most of the time this is as much as is needed. CL is 
thus an extremely simple language which is completely based in mathematics. 

We illustrate in Sect. 2 how simple schemas of recursion and/or induction 
lead to definitions of functions which are not necessarily the most efficient ones 
to compute. For efficient computation one needs stronger schemas of recursion 
and/or induction. This calls for a delicate balance between the strength of the 
language and that of its formal system. The formal system must be strong enough 
to prove the recurrences of strong recursive schemas as theorems. On the other 
hand, the language must be specification complete and admit for every specifi- 
cation formula yx3y<j){x,y) is quantifier-free) proved in the formal system a 
function / witnessing the formula: A{x,f{x)). Moreover, this must be provable 
in the formal system. 

In Sect. 3 we introduce a very general schema of recursion with measure which 
combines expressivity with efficient computation. The justification of the schema 
is easy, it is defined by transfinite recursion. The characterization problem, i.e. 
the question of what class of functions is admitted by the schema, is far from 
trivial. We rely on a theorem of Peter [Pet32] and show that the schema admits 
exactly the primitive recursive functions. 

The proof system of CL is a fragment of Peano arithmetic and its sound- 
ness is obviously guaranteed by the standard model M in natural numbers. In 
order to achieve the specification completeness we select in Sect. 4 the frag- 
ment called I Si whose witnessing functions are primitive recursive. A difficult 
problem arises: we wish to extract functions defined by the general schema from 
proofs where induction with 772-formulas is naturally called for. Unfortunately, 
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admits induction axioms with at most ili-formulas. Fortunately, a theo- 
rem of Parsons [Par70] comes to our rescue: induction rules for 772-formulas are 
admissible in proofs of 772-specifications. 

What is amazing to us is that the relatively minor theorems of Peter and 
Parsons turn out to be crucially important in the characterization problem of 
a really existing and usable declarative programming language. What is even 
more amazing is that the theorems are closely connected. Namely, the proof of 
the special case of theorem of Parsons in Thm. 4.15 calls for functions from 
Thm. 3.7 by Peter. We hope that apart from the two quite technical proofs 
(which are both new), the rest of the paper will be accessible to any computer 
scientist with interest in logic but without the specialized knowledge in recursion 
and proof theory. 

We wish to stress that the connection between the theorems of Peter and 
Parsons or new proofs of both theorems are not the main results of this paper. 
Our main goal is the demonstration of how the classical theory of recursive 
functions and the formal Peano arithmetic can be employed to give a simple 
semantics to a programming language. 

7.7 Pairing function. CL combines the domain of S-expressions of LISP with 
the domain of natural numbers N in order to achieve a productive symbiosis of 
easy coding in the first domain with the standard setting of theory of computa- 
tion and formal arithmetic in the second domain. This is done with the help of 
a pairing function {x,y) such that 0 is the only atom, i.e. 0 yf {x,y) and every 
positive number is in the range of the pairing function. The function satisfies the 
pairing property: (xi,X 2 ) = (j/i, 2 / 2 ) ^ x\ = yi A X 2 = y 2 and we have x < {x, y) 
and y < (x,y). From the last two conditions we get pair induction: 

(j){0) A Va;V?/(^(a;) A (j>{y) (j){x, y)) Va; (f{x) . (1) 

The simplest pairing function is the Cantor’s diagonal function offset by one: 

{x + y){x + y + 1) 

{x, y) = -k a; -k 1 . 

Projection functions 77 {Head) and T {Tail) satisfy 77(0) = T(0) = 0, H{v,w) = 
V, and T(v, w) = w. All three functions are primitive recursive (see [Dav85]). Pair 
size I a; I of a number x is the number of pairing operations needed to construct 
X and we have |0| = 0 and |(u,rc)| = |u| -I- |w| -I- 1. This is a definition by course 
of values which is reducible to primitive recursion. 

For n > 3 we abbreviate {x\, {x 2 , ■ ■ ■ ,Xn)) to {x\,X 2 , ■ ■ ■ ,Xn) ■ Because 0 
is the only atom, every natural number is uniquely a list, i.e. a code of a finite 
sequence of natural numbers where the empty sequence is coded by the empty list 
0 (lisp’s nit) and a sequence a;i 3:2 . . . a;^ is coded by the list (a;i, 3 : 2 , . • . , a;„, 0). 
The length L{x) of the list x is defined by L(0) = 0 and L{v, w) = L{w) + 1. 

In order to obtain a simple recursive characterization of subelementary com- 
plexity classes (such as P) one should use a pairing function such that |x| = 
l7(log(a:)) [Vod94]. CL uses such a function but for the purposes of this paper 
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this requirement is not important and we use the simpler Cantor’s function which 
does not satisfy the requirement. 

1.2 Contractions. In the presence of pairing it suffices to deal only with unary 
functions because to each n-ary function / we can define its unary contraction 
function (/) such that 

f{xi,...,Xn) = {f){xi,...,Xn) ■ 

The use of contractions in CL frees the symbol comma from its role of the 
separator of arguments. CL uses the infix pairing notation x,y instead of {x,y) 
and deals with unary functions and predicates only. However, such an use of 
comma requires some practice in reading definitions which we do not want to 
impose on a casual reader of this paper and so we continue to use here n-ary 
functions and denote the pairing by (x,y). 



2 Examples of Clausal Definitions 

In this section we give example function definitions in the form of clauses of 
CL. We do not dwell on the syntax of clauses as we consider them almost self- 
explanatory. The only requirement imposed on clausal definitions is that they 
should be mechanically transformable into a closed form of definitions discussed 
in the following section. We intend to demonstrate that simple recursion and/or 
induction does not always lead to a definition which, when used as rewriting 
rules, is efficient. A computationally optimal definition usually needs a more 
complex recursion and/or induction. 

2.1 Pair recursion. The function x (B y concatenating lists x and y has a 
following clausal definition by course of values recursion: 

O0y = y 

(v,w) ®y={v,w®y) . 

The function Rt has a similar clausal definition: 

Rt{0) = 0 

Rt{v, w) = (0, Rt{v) 0 Rt{w)) . 

The function Rt takes a number x and yields a list satisfying L Rt{x) = |a;|. Lists 
in the range of Rt contain at most zeros. Declarative programmers will recognize 
Rt{x) as a function flattening the tree x. Recursion from (u, w) to v and/or w is 
called pair recursion. 

Alternatively, the definition of Rt can be automatically extracted as a witness 
from the proof of its specification: 3z L{z) = \x\. The proof is by pair induction 
on a;. If a; = 0 take z = 0. If a; = (v,w) obtain z\ and Z 2 from IH and set 
z = (0, zi 0 Z 2 ). We have 

L{z) = L(0,zi 0 Z 2 ) = L{zi) 0 L(z 2 ) 0 1"^= |u| 0 |w| 0 I = |(u,ri;)| . 
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The function Rt has a simple definition by pair recursion or it can be ex- 
tracted from a proof by pair induction. Unfortunately, this is not a very efficient 
definition to use as rewrite rules for computation. The number of operations 
needed to evaluate Rt{x) is quadratic in |a;| due to the repeated concatenation. 
We will remedy this situation in Par. 2.4. 

2.2 Structural induction. As every worker in the field of declarative pro- 
gramming knows there is a need for a special kind of structural induction for 
recursive data structures. A typical example is a definition of the type of bi- 
nary trees with labels of type T found in practically all functional languages: 
Bt = E \ Nd{T, Bt, Bt). Semantically a new sort freely generated by this defini- 
tion is added to the domain of such a language. We cannot extend the domain 
N of CL but we can code binary trees into natural numbers. For that we need 
two constructors: a constant E = (0, 0) and a function Nd{x) = (1, x). The type 
Bt is in CL a predicate holding exactly of codes of binary trees: 

Bt{E) 

Bt Nd{n, a, b) <— T{n) A Bt{a) A Bt{b) . 

Such a clausal definition is minimal in the sense that unless the truth oi Bt{x) fol- 
lows from the clauses the predicate does not hold for x by default. The predicate 
is primitive recursive by course of values pair recursion because a < Nd{n, a, b). 
We have the following principle of structural induction which can be used to 
prove that a property 4>{x) holds of all (codes of) binary trees: 

4>{E) A yn'ia'ib{T{n) A A (j){b) <j){Nd{n, a, b))) A Bt{x) <f{x) . 

The principle is reduced to complete induction as follows. We assume its first 
two conjuncts and continue by complete induction on x with the induction for- 
mula Bt{x) 4>{x). We take any x s.t. Bt{x) and consider two cases (which 
follow from the minimality of Bt). li x = E we use the first assumption. If 
X = Nd{n,a,b) then T{n), Bt{a), and Bt{b) and so, since a < x and b < x, we 
get 4>{a) and <j)(b) from IH. Thus we get 4>{x) from the second assumption. 

2.3 Substitution in parameters. Consider the following clausal definition 
of the minimum function min(a:,?/): 

min(0, y) = 0 
min(x -I- 1, 0) = 0 

min(a: -I- 1, y -I- 1) = min(a:, y) -I- 1 . 

This is a definition by primitive recursion (on x) with substitution in parameter 
(y) which does not lead outside of primitive recursion. The reduction to primitive 
recursion is important extensionally for knowing that min is primitive recursive. 
Intensionally, the function should be computed directly from its clauses used as 
rewrite rules. Colson [Col91] has proved that this kind of intensional behavior 
is impossible with any primitive recursive derivation of the minimum function 
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when the identities are used intensionally as rewriting rules. The basic property 
of min: 



yy {x > y A min(a:, y) = y\Jx<yA min(a;, y) = x) (1) 

is proved by induction on x. Note that the quantifier is necessary because min 
is defined by substitution in parameter. 

We observe that the above definition of min is computationally inefficient 
because the minimum can be computed exponentially faster by recursion on 
notation which goes from 2 • x and 2 • a; + 1 to a;. 

2-4 Nested recursion. We can obtain a more efficient definition of Rt by 
defining an auxiliary accumulator function Rta which does not apply concate- 
nation. We will obtain the accumulator function as a witness of (1) to get 
Rta{x, a) = Rt{x) 0 a. We can then explicitly define the function Rt by Rt{x) = 
Rta{x, 0). The accumulator function substitutes in the accumulator a so we prove 

ya3z z = Rt{x) (B a (1) 

by pair induction on a;. If a; = 0 then it suffices to take z = a. If x = (u, w) then 
for a given a we obtain by IH a zi such that z\ = Rt{w) 0 a. By another IH we 
obtain Z 2 such that Z 2 = Rt{v) (B Z\. It now suffices to set z = (0, Z 2 ) because 

z = (0, Z 2 ) (0, Rt{v) 0 Zi) (0, Rt{v) 0 Rt{w) 0 a) = Rt{v, w) (B a . 

The witness can be now automatically extracted from the proof to satisfy: 
Rta{Q, a) = a 

Rta{{v,w),a) = {0, Rta{v, Rta{w, a))) . 

This is a definition by nested pair recursion. 

2.5 Assignments. The following definition by primitive recursion shows a 
construct which makes computation more efficient: 

/(O) = 1 

f{x + f) = {y,y) ^ fix) = y . 

We could have defined the same function with the second clause f{x + l) = 
{fix), fix)). The latter definition needs 2“ recursions to compute fix) whereas 
the assignment of fix) to the auxiliary variable y reduces the number of recur- 
sions to X. 

2.6 Non-primitive recursive function. The well-known non-primitive re- 
cursive Ackermann-Peter function (see [Pet67,Ros82]) has the following clausal 
definition: 

A(0,y) =y + l 
Aix 0 1, 0) = Aix, 1) 

Mx 0 1, y 0 1) = Aix, Aix 0 1, y)) . 

By Thm. 3.9 this is a definition not permitted in CL. 
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3 Recursion with Measure 

3.1 Syntax of recursion with measure. CL restricts the syntax of clausal 
definitions in such a way that the clauses can be mechanically transformed into 
closed form: 



f{xi,...,Xn) =T{f,Xi,...,Xn) ■ (1) 

The term t is composed from the constant 0 and variables by applications of 
the successor function S{x) = a;+ 1, pairing {x,y), previously defined functions, 
recursive applications of /, and by three operators: 



if T\ = S{x) then T 2 {x) else T 3 


( 2 ) 


if Ti = (x,y) then T 2 {x,y) else T 3 


(3) 


let T\ = X in T 2 {x) . 


(4) 



The 'pattern variables on the right-hand-side of the identities must be new and 
they are bound in terms with indicated variables. Such terms t are well-known 
from LISP and from functional languages and they allow a fine degree of control 
over evaluation. 

The actual implementation of CL has a slightly richer syntax of terms r (for 
instance built-in arithmetic operators). The syntax of terms r is not minimal 
because we wish to demonstrate that the coding of S-expressions into natural 
numbers brings the benefits of LISP-like programming without any deterioration 
of efficiency (see Paragraphs 3.4 and 3.5). 

3.2 Semantics of recursion with measure. We assign the meaning to the 
three operators from Par. 3.1 as follows. The operator 3.1(4) denotes the same 
as the term T2(ti). For the two z/ operators we introduce the ease discrimination 
function D by primitive recursion: D{0, y, z) = z and D{x+ 1, y, z) = y. The op- 
erator 3.1(2) denotes the same as the term D(ti, T2(ri — 1), T3) and the operator 
3.1(3) denotes the same as the term D{ti,T2{H{ti),T{ti)),T3). The remaining 
constructs in terms t have their standard meaning. 

The definition 3.1(1) can be either explicit if / is not applied in t or else it 
must be regular, in that there is a measure function m : N” 1 — > O into an initial 
segment of ordinal numbers. The recursion in r must go down in the measure 
m in the sense that for every recursive application /(ti, . . .Tn) in t we have 
to(ti, . . .Tn) < m{x\, . . . ,Xn) Under the assumption of all conditions governing 
the recursive application. If the application occurs in r after some then {in) of 
an operator then it is governed by the condition after if {let). If the application 
occurs after some else of an operator then it is governed by ri = 0 for t\ from 
that operator. 

The regularity condition guarantees that we have 



r{f,Xi,. ..,Xn)= r([/]o;i,...,a;„,a;i, ■■■,Xn) 
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where we denote by [g]xi,...,xn the m-restriction of g, i.e the function satisfying: 



[g]xi,...,xAyi,---,yn) 



g{yi, • • • ,2/n) if w(yi, . . . , J/„) < m{xi,. ..,Xn) 
0 otherwise 



It is well-known from set theory that there is a unique function / defined by 
transfinite recursion such that f{x\, . . . ,x„) = T{[f]xi,...^x„,xi , . . . ,x„) and / is 
thus the unique function satisfying 3.1(1). 



3.3 Measures of example functions. The measure for the primitive recur- 
sion in both clausal definitions of min from Par. 2.3 as well as in the definition 
of / from Par. 2.5 is the identity function I(x) = x < uj. 

We can also use I as a, measure for definitions by pair recursion of functions 
I a; I, L, 0, Rt, and Rta but the measure |a:| is superior as the recursion in CL 
runs exponentially faster due to \x\ = f?(log(a;)) (this, however, is not true for 
Cantor’s function used here). 

The Ackermann-Peter function has the measure m{x,y) = oj ■ x + y < 

For instance, for the outer recursive application in the third clause we have 

m{x, A{x, y)) = to • x + A{x, y) < w • (a; 0 1) 0 y 0 1 = m{x 0 1, y 0 1) . 

3-4 Numerals. Unary numerals are terms composed from the constant 0 by 
the application of the successor function S{x) = a: 0 1. The numeral 5'”(0), i.e. 

n 

S ... S{0), denotes the number n. Pair numerals are terms composed from 0 by 
pairing (•,•). Clearly, to every natural number there is exactly one pair numeral 
denoting the number. 

In order to facilitate not only effective but also efficient computation we 
introduce mixed numerals as terms composed from 0 by the successor function 
and pairing. It is now possible that two different mixed numerals denote the 
same number. Mixed numerals have a simple representation in computers. Unary 
numerals are represented in binary (say by the Bignum’s of LISP). The mixed 
numeral (ti,T 2 ) is represented by a pointer to a LISP-cell with pointers to the 
representations of mixed numerals ri and T 2 . 

Conversions between mixed numerals are effectively computable in the sense 
that we can effectively find the mixed numerals denoting (ti,T 2 ) — 1 (this is 
used in 3.1(2)), H S{ti), and T S{t\) (this is used in 3.1(3)). The conversions 
are effective because the pairing and projection functions are primitive recursive. 



3.5 Effective computability of recursion with measure. We say that an 
n-ary function / is effectively computable if there is a mechanical process which, 
given the mixed numerals ti, . . . , t„ denoting the numbers ki, . . .kn respectively, 
yields after a finite time a mixed numeral denoting the number f(k \, . . . , fc„). 

We now assume that all functions (except /) applied in a term t from 3.1(1) 
are effectively computable. Suppose that we are given mixed numerals ti, . . . , t„ 
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as arguments for the (free) variables of t. If the definition is explicit one can easily 
prove by induction on construction of r that it is effectively computable into a 
mixed numeral. If the definition is recursive we assume that / can be computed 
for all mixed numerals ti, . . . , Tn such that m(Ti, . . . , r„) < to(ti, . . . , Tn) and 
show similarly that r can be effectively computed into a mixed numeral (the 
outer induction is thus a transfinite induction on m) . 

Definitions of CL functions are almost always well-behaved in the sense that 
they perform list operations on numerals with outermost pairings and arithmetic 
operations on unary numerals. The need for the time consuming conversions is 
exceptional. 

3.6 Multiply recursive functions. The Ackermann-Peter function A is an 
example of a 2-recursive function in the hierarchy of multiply recursive functions 
by Peter [Pet67,Ros82]. Its definition is by nested double recursion. 

The function / is 1-recursive if it is defined by nested simple recursion: 

f{H,x) = g{xi,x) (I) 

f{z+l,x) = T{f{z,-),z,x) (2) 

where we denote by x the n-tuple of variables x\,. . . , Xn. The right-hand-side of 
the second identity should be understood as the term obtained from r(/, z, x) 
by replacing all applications of /(ri, . . . ,Tn) by f{z,T\, . . . ,Tn). Nested simple 
recursion is a special case of recursion with measure where m{z,x) = z. Note 
that the term t does not need to be regular because the regularity is enforced 
by the restriction /(z, •). 

For a measure function mfx) < w we can reduce a regular definition 3.1(1) 
into nested simple recursion by defining an auxiliary function /: 

7(0, x) = t{Z{-),x) 

7{z-\- 1,T) = r(7(z,-),^) 

where Z{x) = 0. We then explicitly set f{x) = f{m{x),x). 

We now present a proof of slightly generalized Peter’s theorem [Pet32]. The 
proof is done in a way which can be readily formalized by Thm. 4.9 in a small 
fragment of Peano arithmetic. 

3.7 Peter’s theorem. Primitive recursive functions are closed under nested 
simple recursion. 

Proof. Because of pairing we may assume that the function / defined by a nested 
simple recursion is of the form /(z, x). We assume that the function / is applied 
in r at least once because otherwise there is nothing to prove. Finally, we assume 
that the if and let operators have been removed from the term t as suggested in 
Par. 3.2. We ‘unnest’ from inside out and left to right the applications of / in t 
by writing the definition in the clausal form: 
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f{0,x) = g{x) 

f{z + l,a;) = Tk{z,x,to,ti, . . ^ 

f{z,To{z,x)) = to A f{z,Ti{z,x,to)) = ti A . . . A 
f Xk—l(^Z ^ X^ ^ 2 }) — tk—1 

Here the terms Ti for 0 < i < k contain at most the indicated variables and do not 
supply /• Let us until the end of the proof call a list t such that L{t) < fc a table for 
f{z+l,x) if for all 0 < t < L{t) we have (t)* = f{z,n{z,x, (t)o, (t)i, • • ■ , (t)i-i))- 
Here {t)i denotes the list indexing function (t)j = H T^(t). The table is partial if 
L{t) < k and full otherwise. Note that 0 is a partial table for every f{z+l, x). We 
will use tables to hold the values of the auxiliary recursive applications needed 
in the evaluation of f{z + 1, x). A partial table t for f{z + 1, x) can be used to 
determine the value of the parameter for the next recursive application to 
be evaluated. A full table determines the value of the term Tk and hence, of the 
application f{z + 1, x). This is captured by a primitive recursive function V with 
an explicit clausal definition: 

V{z,x,0) = To{z,x) 

V{z,x,{to,0)) = Ti{z,x,to) 

V{z,x, {to,ti,0)) = T 2 (z,X,to,ti) 



V (z, X, (to, ti,..., tk-2,0}) = Tk-l(z, X,to,h,..., tk- 2 ) 

\^(z, X, (to, ti, ..., tk— 2 , tk— 1 , 0)) — Tk(z,X,to,t\, . . . ,tk— 2 ,tk—l) • 

If t is a table for f(z+ l,x) then V(z,x,f) = TL(t){z,x, (t)o, (t)i, ■ . . , (t)L(t)-i)- 
Hence, V (z, x, t) yields for a partial t the parameter of the next recursive appli- 
cation of / to be evaluated. If t is full then we have f{z + l,x) = V (z, x, t). 

In order to evaluate the application f(z,x) we will keep lists t of tables for 
f{z, x) where t is a list of length z such that (t)i is a partial table for f(z — i, Xi) 
for each i < z. The parameters Xi are such that xq = x and for z J- 1 < z we 
have Xi+i = V(z — (i + l),Xi, (t)i). Note that for z < z the parameters can be 
determined as Xi = B(i,x,t) by a primitive recursive function B: 

B(D,x,t) = X 

B(i + l,x,t) = V (L(t) — (i+ 1), B(i, x, t), (t)i) . 

We note that x^ = B(z,x,t) is the parameter for the application f(0,Xz) to be 
computed next in the last table (t)z-i of the list of tables t for /(l,Xz_i). We 
also note that tg = cr(z), where (j(0) = 0 and cr(x J- 1) = (0,ct(x)), is a list of 
tables for every f{z,x) and that every list of tables for f{0,x) must be 0. 

In order to evaluate /(z, x) for z > 0 we need the values of k recursive appli- 
cations /(z— 1, Ti). If z > 1 each such an application needs again k evaluations of 
/. Thus we need k^ evaluations of / in order to compute f{z,x). This suggests a 
computation strategy for / where we start the evaluation of /(z, x) with the list 
of tables tg = cr{z) and after j < fc^-steps we will have list of tables for f{z,x): 
tj with each partial table (tj)i for z < z having the length given by the z-th digit 
of the expansion of j in the positional representation with k digits 0 through 
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k — 1. We do not suppress the leading zeros and count the digits from left to 
right starting with 0 and ending with z — 1. 

The step j + 1 of the evaluation will thus resemble the addition of one to the 
number j in the k-aiy notation. We will add the value of u = f{0,Xz) to the 
partial table t = (tj)z-i thereby obtaining a new table t 0 (u, 0). Should this 
table become full, it will be reset to the empty table 0 in the list of tables tj+i 
and we will propagate as a ‘carry’ the value V{Q,Xz-i,t (B (i’,0)) = /(l,a;z_i). 
If j 0 1 < fc’’’ then the process of carries rippling through will terminate in some 
partial table of t^+i. If j 0 1 = then will be the empty list of tables a{z) 
again and the carry out will yield the value of f{z,x). 

We indicate no carry by 0 and a carry of the value v by (0,u). The list of 
tables tj+i is be produced by the function Incr which yields a pair consisting of 
a carry and of a list of tables such that Incr(tj,x,tj) = (c,tj+i). The function 
has a clausal definition by pair recursion: 

lncr(;s,x,0) = {{0,gB{L{s),x,s)),0) 

Incr{s,x,{t,t)) = (0,t,ti) ^ Incr{s,x,t) = (0,0) 

Incr{s, X, {t, t)) = (0, t 0 {v, 0), 0) <— Incr{s, x,t) = ((0, v),ti) A L{t) < k — 1 
Incr{s,x, 0 0 (u,O))),O,0) ^ 

Incr{s, X, t) = ((0, v),ti) A L(t) = k — 1 . 

The function Incr iterates the function Incr in such a way that Incr{i,x,to) = 
(c,0) and it is defined by primitive recursion: 

/ncr(0, X, t) = (0, t) 

Incr{i 0 1, X, t) = Incr{ti,x, 0) ^ Incr{i, x, t) = (c, 0) . 

The function / defined by nested simple recursion has thus a primitive recursive 
derivation by an explicit clausal definition: 

f{z,x)=v^lncr{k^,x,a{z)) = {{0,v),t) . □ 

3.8 CL-definable functions. Already the elementary functions (for defin- 
ition see [Kal43,Ros82]), which are but a tiny subclass of primitive recursive 
functions, are computationally unfeasible. It is generally accepted that the com- 
putationally feasible functions are the functions computable in polynomial time. 
The class P of such functions was characterized by Cobham [Cob65,Ros82] with 
the help of recursion on notation which goes from 2x and 2a: 0 1 to x. We have 
characterized P in [Vod94] with the help of pair recursion. The class P is a 
proper subset of elementary functions. We have decided to restrict CL to prim- 
itive recursive functions because they have simpler closure properties than the 
elementary functions or the functions in P. Primitive recursive functions have 
also a simple formal theory (see Sect. 4) for proving the properties of defined 
functions. The reader might wish to consult [Wai97] for a similar argument in 
favor of primitive recursive functions. 

We say that a function is CL-definable if it has a clausal definition from 
previously CL-defined functions such that the clauses can be converted to an 
explicit or regular recursion with measure 3.1(1). If the definition is regular then 
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also the measure function must be CL-defined (and so it must be into finite 
ordinals N). 

3.9 Theorem (Characterization of primitive recursive functions). CL-defi- 
nable functions are exactly the primitive recursive functions. 

Proof. That CL-definable functions are primitive recursive follows from Peter’s 
theorem and from the reduction of regular definitions to nested simple recur- 
sion in Par. 3.6. Vice versa, the initial primitive recursive functions, i.e. the 
successor, zero and, projection functions, have explicit definitions S{x) = S{x), 
Z{x) = 0, and If{xi,...,Xi,...,Xn) = Xi respectively. Functions defined by 
substitution have explicit definitions: f(x) = g{h\(x ), . . . , hm(x)) and functions 
defined by primitive recursion have a regular clausal definition with the measure 
If+\x,y)=x-. 

/(o.y) = g{y) 

f{x + l,y) = h{x,y,f{x,y)) . □ 

3.10 Characterization of recursive functions. By permitting arbitrary 
ordinal-valued measure functions in regular definitions (even non-computable 
ones and without ordinal notations in natural numbers) we can define by explicit 
and regular recursive definitions exactly the recursive functions. That every re- 
cursive function can be thus defined can be seen from the clausal derivation of 
regular minimalization: 

f{x) = fiy[g{y,x) = 0] 

where for arbitrary x there is a y such that g{y,x) = 0. For the clausal derivation 
of / we define an auxiliary function /: 

/(y, S) = £ ^ p,z<y [g{z,x) = 0] = z A g{z, x) = 0 

f{y,x) = f{y+ 1,S) ^ g,:,<y[g{z,x) = 0] = zAg{z,x) > 0 . 

This is a regular clausal definition using bounded minimalization which is re- 
ducible to primitive recursion. The measure is: m{y,x) = f(x) — y because when 
the recursion takes place we must have g{z,x) > 0 for all z < y and so y < f{x). 
The function / is then explicitly derived as f{x) = f{0,x). 

We do not prove here the converse that every regular clausal definition 3.1(1) 
is recursive in the functions applied in r. We just suggest the proof by doing it 
for the Ackermann-Peter function. We redo the definition in Par. 2.6 and add a 
new argument z: 

A(0,0,2/) = 2/ + 2 
A(0,a; -k l,y) = 0 
A{z+ 1,0,2/) = 2 / -k^ 

A{z -k 1, a; -k 1, 0) = A{z, x, 1) 

A(z -k 1, a; -k 1, 2/ + 1) = A(z, x, a) <— A(z, x + l,y) = a + 1 
A(z -k 1, a: -k 1, 2/ + 1) = 0 ^ A(z, x + l,y) = 0 . 
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The argument z of A(z, x, y) plays the role of a counter. If z is sufficiently large 
then A{z,x,y) = A{x,y) + 1, if z is not large enough to count the number of 
recursions in A then A{z,x,y) = 0 (note the second clause for A). The function A 
is primitive recursive because it is defined by nested simple recursion. Moreover, 
we have 3z A{z, x, y) = A{x, y) + 1 as can be proved by transfinite induction with 
the measure m{x, y) = to-x+y. Hence, we can define rn{x, y) = Hz[A{z, x, y) > 0] 
by regular minimalization and set A{x,y) = A{jn{x,y),x,y) — 1. Alternatively, 
the definition of A in Par. 2.6 has the measure m{x, y) < to, and so A is primitive 
recursive in m which thus cannot be primitive recursive. The last shows the 
collapse of any measure function, no matter how large its ordinal range is, into 
a measure function < w by a single regular minimalization. 

4 Formal Arithmetic 

4-1 Peano arithmetic. Peano arithmetic is obtained by the addition of ax- 
ioms of induction: 



4>{Q) ^yx{(j){x) ^ (j){x 1)) ^'ix(j){x) (1) 

to the six axioms of Robinson arithmetic: 

S{x) yf 0 

S{x) = S{y) ^x = y 

a: yf 0 ^ 3yx = S{y) 

0 + y = y 

S{x) + y = S{x + y) 

0 • 2 / = 0 

S{x) ■y = x-y + y . 

The language £ of both arithmetics consists of the symbols 0, S', + and •. Axioms 
of both arithmetics have the standard model Af whose domain is N and the 
symbols of the language have the standard interpretation. We write T \- (j) when 
(j) is provable from axioms T. The reader is invited to use his favorite (complete) 
proof system. In the following discussion we state many properties of Peano 
arithmetic without proofs. The reader is advised to consult [HP93] for more 
details. 

4-2 Fragments of Peano arithmetic. If we restrict the formulas 4>{x) in 
axioms of induction 4.1(1) to the formulas of certain quantifier complexity we 
obtain fragments of Peano arithmetic. 

The class of Aq = Uq - formulas is defined to consist of formulas with at 
most bounded quantifiers 3x < s(j>{x) and Vx < S(f>{x). Bounded quantifiers are 
abbreviations for the formulas 3x3z{x-\-z = s/\(f>{x)) and VxVz(a;+z = s ^ 4>{^)) 
respectively (z is a new variable). Sn+i-formulas are the formulas of the form 
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3x\ . . .3xk4> where 4> G 7T„ and Un+i-formulas are the formulas of the form 
Vxi . . .yxk4> where (j> G and fc > 1. 

We denote by ISn+i the fragment of Peano arithmetic whose axioms are 
axioms of Robinson arithmetic and the induction axioms for i7„_|_i-formulas. 

Let T be a fragment of Peano arithmetic. We say that a formula 4> is 
(il„) in T if there is a formula ip G {tp G ^n) such that T G (p ^ ip. 

4-3 Witnessing theorem. Consider a ifi-formula <p{xi, . . . , Xn, y) with all of 
its free variables among the indicated ones and assume that a fragment T is such 
that 



T h 3y(p{xi, ...,Xn,y) ■ (1) 

Then clearly, there is a witness to the existential quantifier, i.e. a function / such 
that for all numbers fci , . . . , we have 



The formula (p has a form 3z\ . . . 3zm<pi where the L7o-formula <p\ is constructed 
by primitive recursive operations. The witness, which for given x\, . . . , Xn looks 
for the least number v of the form {y, z\, . . . , Zm) whose projections make the 
formula (pi true and then yields H(v), is clearly a recursive function. 

The fragment which we have adopted as the formal system of CL is ISi- 
arithmetic. We have chosen this fragment because the witnessing theorem for 
I Si [Kre52,Par70,Min73] says that every ifi-formula cp for which (1) holds has 
a primitive recursive witness. Moreover, a primitive recursive derivation of the 
witness can be mechanically extracted from the proof. 



4-4 Recursive extensions. CL as a programming language allows incremen- 
tal addition of new definitions of functions and predicates. This has a corre- 
spondence in the formal system where a fragment T of Peano arithmetic can be 
extended to the fragment Ti by a recursive extension. For functions this means 
that when 

T h yx3\y(p{x, y) 

with <p G Si the language Ci of Ti is obtained by adding a new n-ary function 
symbol / to the language of T. Axioms of Ti are those of T plus the defining 
axiom for /: 



f{x) = y ^ (p{x,y) . (1) 

With the addition of a new function symbol to T we uniquely expand the stan- 
dard model M ■ 

Classes of formulas Sn{f) and il„(/) in the language Ci are defined similarly 
as the corresponding classes and 77„ (see Par. 4.2). 

The graph of /, i.e. the left-hand side of the above equivalence, is given by 
a Ai-formula. The fragment Ti clearly proves that the graph is equivalent to 
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. . . ,Xn,z) ^ y = z) which is easily shown to be Ui in T. This fact 
permits an elimination of all occurrences of / from formulas of C\ by replacing 
every atomic formula ■ 0 y[/(x)] by formulas 3y{4>{x,y) A ^/>) or \/y{(j)(x,y) ’ip) 
(depending on the polarity of the replaced formula) either of which is equivalent 
in Ti to the replaced formula. As a consequence every Ai(/) (7Ti(/)) formula is 
a El (ill) formula in Ti. For this reason Ti is conservative over T, i.e. if for a for- 
mula pj of C we have T\\- ip then also T h •0. In other words, recursive extensions 
do not add anything new to the extended theories except increased expressivity. 
In situations where there can be no confusion we will use the symbol IE\ to 
denote also the axioms of recursive extensions. We can use introduced symbols 
in induction axioms and in the formulas introducing new symbols because they 
can be always eliminated without increasing the quantifier complexity. 



p.5 Primitive recursive functions in lEi. For every primitive recursive 
function / there is a recursive extension of I E\ which proves the identities used 
in the derivation of / (i.e. those in the proof of Thm. 3.9) as theorems. Vice 
versa, if we extend IE\ with suitable recursive identities for primitive recursive 
functions as axioms we can derive their defining axioms 4.4(1) as theorems. This 
equivalence has the advantage that the axioms in recursive extensions can be 
taken as open formulas (i.e. formulas without quantifiers). 

The pairing function {x,y) and its projections H and T are primitive recur- 
sive. So the functions can be introduced into a recursive extension of IE\ in such 
a way that their properties given in Par. 1.1 are theorems. 



4.6 Pair induction. The principle of pair induction 1.1(1) for any Ai-formula 
0 can be proved in a recursive extension containing the pairing function. We rea- 
son in the extension, assume the antecedent of 1.1(1), and continue by induction 
on z with the formula Wx < z 4>(x) (which is E\ in the extension) . For the base 
case there is nothing to prove. If a: < z -I- 1 then we distinguish two cases. If 
a; = 0 we have 4>{x) from the assumption. Otherwise there are v and w such that 
v,w < {v,w) = x < z and so 4>{v) and 4>{w) by IH. Hence, 4>{v, w) from the 
assumption. Now, since a; < a; -I- 1, we have (j){x) for any x. 



4-7 iT„+i-induction in For every (j>{x) G -Un+i the theory 

proves the 77„_|_i-induction principle 4.1(1). We reason in IE„^i and assume the 
antecedent of 4.1(1) as well as ~Nxp{x). For some x we then have ~<4>{x) and we 
prove 



Z < X ^ ~^4>{x — z) , (1) 

which is Sn+i in lEn+i, by induction on z. For z = 0 this follows from ^(j){x). 
If z -|- 1 < X then z < x and ~^<j){x — z) from IH. From x — z > 0 we have 
a;— (z-|-l)-|-l = a: — z and so ^4>{x —{z+ 1)) from the inductive assumption of 
4.1(1). By taking z = x we get from (1) a contradiction ^0(0). 
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4-8 Clausal definitions in ISi. Every clausal definition admissible in CL 
can be mechanically transformed into the form 3.1(1). The demonstration that 
the two forms are equivalent does not require induction and can be formalized 
in any fragment of arithmetic. 

We wish to prove the property 3.1(1) as a theorem in a suitable recursive 
extension of I Si. This is a technically quite demanding proof because we have 
to make sure that the inductions needed in the reduction of 3.1(1) first to nested 
simple recursion in Par. 3.6 and then in the proof of Peter’s theorem 3.7 are 
available. This is indeed the case and the formalization of Peter’s theorem goes 
through. Obviously, we cannot do the proof here and so we just state the for- 
malized version of Peter’s theorem: 

4-9 Formalized Peter’s theorem. If the function f is defined by nested 
simple recursion from primitive recursive functions then there is a recursive ex- 
tension of I El which proves the identities 3.6(1)(2) as theorems. □ 

4.10 Proof obligations. Before a recursive clausal definition is accepted its 
regularity must be proved in CL (this is called a proof obligation) . The proof turns 
the semantic condition of regularity (in general undecidable) to a syntactic one 
(which is decidable) . It should be clear that by replacing the semantic condition 
by a syntactic one we do not lose any primitive recursive function extensionally, 
we may just lose some definitions intensionally, i.e. as rewriting rules. It can 
happen that lEi is not strong enough to prove a condition of regularity which 
is true in Af. 

4.11 Ackermann-Peter function revisited. By the witnessing theorem we 
have I El V- 3z A{z,x,y) > 0 for the function A from Par. 3.10 because the 
primitive recursive witnessing function m{x, y) would make also the Ackermann- 
Peter function A primitive recursive. However, we can introduce A into IS 2 by 
proving 



\/y3zA{z,x,y)>Q (1) 

by JT 2 -induction on x. For a; = 0 we take z = 0. For a; -I- 1 we proceed by 
induction on y with the L7i-formula 3zA(z,x -1-1,?/) > 0. In the base case we 
get a zi such that A{zi,x, 1) > 0 from the outer IH and set z = Zi -I 1. In 
the inductive case we get a zi s.t. A(zi,x -1-1,?/) >0 from the inner IH and 
a Z 2 s.t. A(z2,x,A(zi,x -h l,y) ^1) > 0 from the outer IH. We then set 2 = 
max(2i, Z 2 ) + 1- 

4.J2 Theorem of Parsons. Because iTi-induction is available in lEi the 
theory proves the property 2.3(1). On the other hand, 772-induction is not avail- 
able in lEi and we cannot directly prove the property 2.4(1) needed for the 
extraction of the witnessing function Rta. Fortunately, a theorem by Parsons 
[Par70,Bus94,Sie91] helps us here. The theorem says that 




Theorems of Peter and Parsons in Computer Programming 219 



Robinson arithmetic plus 77„_|_2 -rules inferring \/x(j){x) from ^(0) and 
\/x{(l>{x) 4>{x + 1)) for any 4> G 7T„+2 are Un+ 2 -conservative over 

I^n+l ■ 

In our special case n = 1 this means that we can derive the iT 2 -formula 
2.4(1) by a iT 2 -induction rule and then use the conservativity to derive the same 
formula in I Si. This is possible because the proof of 2.4(1) is without any side 
assumptions. Note that this is not the case in the proof of 4.11(1) because the 
inner induction uses the outer IH as a side assumption and thus cannot be turned 
into a rule. 

4-13 Formal proof system of CL. We will outline the proof of a liberal- 
ization of the case n = 1 of Parsons theorem in Thm. 4.15. As this is a proof- 
theoretic argument we now present the proof system of CL which are signed 
tableaux of Smullyan [Smu68]. We write (f* instead of Smullyan’s F(j) and if 
instead of Tip. We can view formulas p* as goals to be proved under the as- 
sumptions given by the formulas ip. 

A branch of a signed tableau can be viewed as a sequent where the conjunction 
of assumptions implies the disjunction of goals. This interpretation of signed 
tableaux gives them a flavor of natural deduction which can be readily translated 
into English description of proofs (as it is the case in CL). We just mention here 
that this aspect of signed tableaux seems to have escaped the workers in the 
field and CL is probably the first formal system with such an interpretation. 

If we wish to prove a formula p we write it down as a goal p* and then 
proceed to build a tableau as a downwards growing tree with the following 
expansion rules. 

Propositional rules: 

p — > p* p V p* p Ap p A p* py p p — > p —'p* —'p 

p p* p p* \ p* p \ p p \ p*. p p* 

p* p* p 

Equational rules: 

s = t s = t t = u 
s = s t = s s = u 

Si — ti ' ' ' Sn — tn Si — t\ • • ' Sn — tn A(si, . . • , Sp) 

f {s I j . . . , Sn) — f (ti^ ... pn) R{tlj • • • Pn) 

Quantifier rules (f : y is an eigen- variable): 

yxp{x)* 3xp{x) 3xp{x)* \/xp{x) 

Hy)* <k{y) ^(s)* </*(«) 

Axiom (f) and Cut (|) rules: 

p^ p\ p*^ 
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/i^i-induction rule for 3x(j){z,x) where (j>{z,x) G Sq, z, y eigen- variables: 



3x4>{s, a;)* 



3x(j){0, x)* 



(p{z,y) 

3x(f){z -I- l,x)* 



Axioms are the axioms of Robinson arithmetic as well as the defining axioms 
for introduced function and predicate symbols. A tableau is closed if every of its 
branches is closed, i.e. contains (j) and (f>* for some formula. 

By a straightforward argument, similar to the one discussed in [KV95], we 
can show that a Ai-induction axiom can be eliminated by replacing it with a 
Ai-induction rule. Vice versa, every Si induction rule can be replaced by a 
Ai-induction axiom. This means that the CL proof system is equivalent to any 
complete proof system with ISi axioms, i.e. we have ISi h (/) iff there is a closed 
tableau for 

By the standard cut elimination argument adapted to tableaux (see [KV95]) 
we can eliminate from a closed tableau all cuts except the ones anchored to an 
induction rule, i.e. such where the cut formula (j)* is the premise of an induction 
rule. 



4 .. 14 Weak 772-induction rule. All tableau expansion rules introduced in 
Par. 4.13 are local in the sense that one expansion rule does not interfere with 
another one. The following rules are not such. Let 4>{z,x,y) G Sq. The weak 
Il 2 -induction rule for the formula \/x3y(j>{z,x,y) is 



^y<l>{s,t,y)* 



3y(j){0,u,y)* 



yx3y(j){z,x,y) 
3y(j){z + l,u,y)* 



where z and u are eigen- variables. We attach an additional non-local condition 
to this rule because otherwise the rule would be equivalent to the corresponding 
772-induction axiom. The condition is that every tableau expansion by a weak 
772-induction rule as well as every expansion of an induction rule below it 
(including Ai-induction rules) may have at most weak side formulas. We say 
that an induction rule has a side formula <j) if (f appears in the branch above the 
conclusion and it is a premise of a rule used below this conclusion. Weak side 
formulas are Ai-formulas in goals, 77i-formulas in assumptions and Ao-formulas 
anywhere. 



4-15 Theorem (Elimination of weak Il 2 -induction rules). Theorems proved 
by tableaux with weak Il 2 -induction rules are provable in IS\. 

Proof. In the tableau proof p of the following Witnessing lemma we may as- 
sume without loss of generality that the bounded quantifiers are eliminated by 
going into a suitable extension, that adjacent quantifiers of the same kind are 
contracted by pairing, that the cuts are anchored to induction, i.e. they are with 
Ai-formulas, and that all axioms are open. All formulas named by Greek letters 
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can be thus assumed to be open. The idea of the proof is similar to the very 
terse outline given in [Bus94] but it is done here in more detail because unlike 
[Bus94] we have the necessary primitive recursive apparatus developed. In the 
Witnessing lemma we show just one weak side formula corresponding to a Si- 
goal, remaining side formulas are indicated by • • • but the reader should bear in 
mind that the witness found for the shown side formula is to be found also for 
every not shown quantified formula in exactly the same way. 

Witnessing lemma: If p is a closed tableau with weak 112-induction rules for 
assumptions and goals corresponding to the sequent 

'ix3y(j)i{wi,x,y) ^ , ( 1 ) 

where all free variables are indicated andwi is a subsequence ofw, then a suitable 
recursive extension of I Si proves for a new function symbol f\ : 

a;)) ^ t(/i(wi, •).!«))••• ■ (2) 

The proof is similar to the proof of lemma needed for the IS\ witnessing theorem 
and it is by induction on the construction of p. We do just two new cases. If the 
first expansion in p is by the instantiation 3y<f>i{wi, s,y) of the 7T2-assumption 
in (I) then we may assume without loss of generality that the next expansion 
introduces the eigen-variable y. 4>(Wi, s,y). We use IH with the last formula as 
a new assumption and y as & new parameter and so a suitable extension of / S\ 
proves 



'ix(fi{wi,x, fi(wi,x)) A (j)i{wi,s,y) ■ ■ ■ tp{w,ti{fi{wi,-),w,y)) ■■■ . 

By setting y to /i(Wi, s) we may discharge the second assumption and get (2). 

Let the first expansion in p be by a weak 772-induction rule for the formula 
yx3y4>(W, z, x,y) with the premise 3y(p{w, si{w), S 2 (w),y). Without loss of gen- 
erality we may assume that the premise is not used in p and so we remove it from 
the side formulas. We also remove the 772-assumption yx3y<f)i because it cannot 
be used in p. For the base-case branch of p we add a new goal 3y4>(w,0, x,y) 
with the eigen- variable x. A suitable extension of I Si proves by IH: 

4>(w, 0, X, sslW, x)) V • • • f^(w, ti(W, x)) • • • . 

For the inductive-case branch of p we add a new 772-assumption Vx3p^(uJ, z, x, y) 
and a new goal 3y4>{w,z l,x,p) for two eigen-variables z and x. A suitable 
extension of I Si proves by IH: 

yx(j){w, Z, X, f{w, z, x)) 

f>(w,z-hl,x,S 4 (f(w,z,-),w,z,x))V---'i/;(w,t 2 (w,z,x))--- . (3) 

We extend the theory unifying both theories from IH by / defined by nested 
simple recursion: 

f{w,0,x) = S 3 {w,x) 

f{w,Z-Il,x) = S 4 {f{w,Z,-),W,Z,x) . 
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This is a slight misuse of notation because we use the same symbol / as the 
one in (3) but nothing happens because we now substitute in it the new symbol 
for the old one. Formula (3) is now Si in the current extension and by the 
Witnessing theorem for ISi we get for a function h{w, z, x) 

z, h{w, z, x), f{w, z, h{w, z, x))) 

Z + 1, X, S4if{w, Z, -),W, Z,x))y ■■■ ^(W, t2(w, Z, x)) ■ ■ ■ 
We define by (un) nested simple recursion the function g(W,z,x): 
g{w, 0 , x) = t\ {w, x) 

g(W, z+l,x)= t 2 (W, z, x) ^ (j>(w, z, h{w, z, x),f(w, z, h(W, z, x))) 

g{w, z + 1, x) = g{w, z, h{w, z, x)) ^ -^</>(w, z, h{w, z, x), f{w, z, h{w, z, x))) . 

By a not too difficult TTi-induction on z we prove 

Vx (</>(w, z, X, f{w, z, x)) V • • • 'tp{w, g{w, z, x)) • • • ) . 

We now substitute si for z and S 2 for x and get (2). This ends the proof of the 
Witnessing lemma. 

Now, given a closed tableau p with weak 7T2-induction rules, we replace all 
top uses of such rules by tableaux without the 772-rules. Each such tableau is 
obtained from the Witnessing lemma without a II2 assumption but with all weak 
side formulas used in the corresponding 772-rule. □ 

4-16 Induction with measure. The schema of recursion with measure 3.1(1) 
calls for the corresponding schema of induction with measure: 

Vx (yy(jn{y) < m{x) 4>{y)) Vx^(x) . 

We just state here without a proof that this can be reduced into a 77i-induction 
formula for (j) G 77i and into a weak 772-induction rule for (j) G 772. 

5 Conclusion 

We have hopefully demonstrated that CL is a simple language and proof system 
with natural semantics in N. In this paper we have presented only the most 
simplest form of CL. The full language contains many built-in functions and 
automatically offers derived induction schemas like the structural induction (see 
Par. 2.2). 

Our two year’s experience with teaching CL shows that the first and second 
year students have no problems defining functions in CL and seem to enjoy doing 
the formal proofs of their properties. On the other hand, the characterization 
of CL requires deep mathematical knowledge and relies on two almost forgot- 
ten theorems of logic. Obviously, we do not teach the characterization in the 
introductory courses. 

The interested reader will find in our home-page the executable file of a 
PC implementation of CL as well as a partially finished text on CL which will 
eventually contain in detail the material of this paper. We are also preparing 
lecture notes for the courses we teach with CL. 
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Abstract. The first philosophically motivated sentential logics to be 
proved undecidable were relevant logics like R and E. But we deal here 
with important decidable fragments thereof, like R_> . Their decidability 
rests on S. Kripke’s gentzenizations, together with his central combina- 
torial lemma. Kripke’s lemma has a long history and was reinvented 
several times. It turns out equivalent to and a consequence of Dickson’s 
lemma in number theory, with antecedents in Hilbert’s basis theorem. 
This lemma has been used in several forms and in various fields. For 
example, Dickson’s lemma guarantees termination of Buchberger’s algo- 
rithm that computes the Grobner bases of polynomial Ideals. In logic, 
Kripke’s lemma is used in decision proofs of some substructural logics 
with contraction. Our preferred form here of Dickson-Kripke is the Infi- 
nite Division Principle (IDP). We present our proof of IDP and its use 
in proving the finite model property for R_>. 



1 Introduction 

The Patron Saint of the Logicians Liberation League is Alasdair Urquhart, whose 
SECOND miracle was his proof that the major relevant logics of [AB75,ABD92] 
are undecidable. But our chief concerns in this paper are pre-Urquhart. We shall 
examine decidable fragments of the major relevant logics (especially R) and dwell 
on the combinatorics underlying their decision procedures, mainly the Dickson’s, 
Kripke’s and Meyer’s lemmas and their ancestor, Hilbert’s finite basis theorem. 
The main proofs in this paper are that of the IDP and the finite model property 
for some decidable fragments. We shall also mention briefly Urquhart ’s further 
results on the computational complexity of the decision procedures based on 
such principles. 

The FIRST substructural logic was the system R^. of pure relevant impli- 
cation.^ And no sooner had R^ been seriously proposed than the question of 

^ R^ was introduced by Moh-Shaw-Kwei and by Church circa 1950, e.g. in [Ch51]. But 
Dosen [Do92] dug up [Or28], which basically already had relevant arrow, negation 
and necessity. 
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